[security] Go 1.17.7 and Go 1.16.14 are released

3624 views
Skip to first unread message

Cherry Mui

unread,
Feb 10, 2022, 6:16:36 PMFeb 10
to golan...@googlegroups.com
Hello gophers,

We have just released Go versions 1.17.7 and 1.16.14, minor point releases.

These minor releases include three security fixes following the security policy:

  • crypto/elliptic: fix IsOnCurve for big.Int values that are not valid coordinates

    Some big.Int values that are not valid field elements (negative or overflowing)
  • might cause Curve.IsOnCurve to incorrectly return true. Operating on those values
    may cause a panic or an invalid curve operation. Note that Unmarshal will never
    return such values.

    Thanks to Guido Vranken for reporting this.

    This is CVE-2022-23806 and https://go.dev/issue/50974.

  • math/big: prevent large memory consumption in Rat.SetString

    An attacker can cause unbounded memory growth in a program using (*Rat).SetString
    due to an unhandled overflow.

    Thanks to the OSS-Fuzz project for discovering this issue and to Emmanuel Odeke
    (@odeke_et) for reporting it.

    This is CVE-2022-23772 and Go issue https://go.dev/issue/50699.

  • cmd/go: prevent branches from materializing into versions

    A branch whose name resembles a version tag (such as "v1.0.0" or "subdir/v2.0.0-dev")
    can be considered a valid version by the go command. Materializing versions from
    branches might be unexpected and bypass ACLs that limit the creation of tags but not
    branches.

    This is CVE-2022-23773 and Go issue https://go.dev/issue/35671.

View the release notes for more information:
    https://go.dev/doc/devel/release.html#go1.17.minor

You can download binary and source distributions from the Go web site:
    https://go.dev/dl/

To compile from source using a Git clone, update to the release with
"git checkout go1.17.7" and build as usual.

Thanks to everyone who contributed to the releases.

Cheers,
Cherry and Alex for the Go team

Reply all
Reply to author
Forward
0 new messages