We have just released Go 1.14.5 and Go 1.13.13 to address two recently reported security issues. We recommend that all users update to one of these releases (if you’re not sure which, choose Go 1.14.5).
Data race in certain net/http servers including ReverseProxy
Servers where the Handler concurrently reads the request body and writes a response can encounter a data race and crash. The httputil.ReverseProxy Handler is affected.
Thanks to Mikael Manukyan, Andrew Kutz, Dave McClure, Tim Downey, Clay Kauzlaric, and Gabe Rosenhouse for reporting this issue.
This issue is CVE-2020-15586 and Go issue golang.org/issue/34902.
X.509 verification ignores provided EKUs on Windows
On Windows, if VerifyOptions.Roots is nil, Certificate.Verify does not check the EKU requirements specified in VerifyOptions.KeyUsages.
Thanks to Niall Newman for reporting this issue.
This issue is CVE-2020-14039 and Go issue golang.org/issue/39360.
The upcoming Go 1.15rc1 release will also include the fixes above.
We would also like to thank Andy Lindeman, who reported a cross-site scripting vulnerability and a CSP bypass in pkg.go.dev, now fixed.
Downloads are available at https://golang.org/dl for all supported platforms.
Katie and Filippo on behalf of the Go team