We have just released Go versions 1.17.7 and 1.16.14, minor point releases.
- crypto/elliptic: fix IsOnCurve for big.Int values that are not valid coordinates
Some big.Int values that are not valid field elements (negative or overflowing) might cause Curve.IsOnCurve to incorrectly return true. Operating on those values
may cause a panic or an invalid curve operation. Note that Unmarshal will never
return such values.
Thanks to Guido Vranken for reporting this.
This is CVE-2022-23806 and https://go.dev/issue/50974.
- math/big: prevent large memory consumption in Rat.SetString
An attacker can cause unbounded memory growth in a program using (*Rat).SetString
due to an unhandled overflow.
Thanks to the OSS-Fuzz project for discovering this issue and to Emmanuel Odeke
(@odeke_et) for reporting it.
This is CVE-2022-23772 and Go issue https://go.dev/issue/50699.
- cmd/go: prevent branches from materializing into versions
A branch whose name resembles a version tag (such as "v1.0.0" or "subdir/v2.0.0-dev")
can be considered a valid version by the go command. Materializing versions from
branches might be unexpected and bypass ACLs that limit the creation of tags but not
branches.
This is CVE-2022-23773 and Go issue https://go.dev/issue/35671.
View the release notes for more information:
https://go.dev/doc/devel/release.html#go1.17.minorYou can download binary and source distributions from the Go web site:
https://go.dev/dl/To compile from source using a Git clone, update to the release with
"git checkout go1.17.7" and build as usual.
Thanks to everyone who contributed to the releases.
Cheers,
Cherry and Alex for the Go team