[security] Go 1.17.7 and Go 1.16.14 are released

Skip to first unread message

Cherry Mui

Feb 10, 2022, 6:16:36 PM2/10/22
to golan...@googlegroups.com
Hello gophers,

We have just released Go versions 1.17.7 and 1.16.14, minor point releases.

These minor releases include three security fixes following the security policy:

  • crypto/elliptic: fix IsOnCurve for big.Int values that are not valid coordinates

    Some big.Int values that are not valid field elements (negative or overflowing)
  • might cause Curve.IsOnCurve to incorrectly return true. Operating on those values
    may cause a panic or an invalid curve operation. Note that Unmarshal will never
    return such values.

    Thanks to Guido Vranken for reporting this.

    This is CVE-2022-23806 and https://go.dev/issue/50974.

  • math/big: prevent large memory consumption in Rat.SetString

    An attacker can cause unbounded memory growth in a program using (*Rat).SetString
    due to an unhandled overflow.

    Thanks to the OSS-Fuzz project for discovering this issue and to Emmanuel Odeke
    (@odeke_et) for reporting it.

    This is CVE-2022-23772 and Go issue https://go.dev/issue/50699.

  • cmd/go: prevent branches from materializing into versions

    A branch whose name resembles a version tag (such as "v1.0.0" or "subdir/v2.0.0-dev")
    can be considered a valid version by the go command. Materializing versions from
    branches might be unexpected and bypass ACLs that limit the creation of tags but not

    This is CVE-2022-23773 and Go issue https://go.dev/issue/35671.

View the release notes for more information:

You can download binary and source distributions from the Go web site:

To compile from source using a Git clone, update to the release with
"git checkout go1.17.7" and build as usual.

Thanks to everyone who contributed to the releases.

Cherry and Alex for the Go team

Reply all
Reply to author
0 new messages