We have just released Go versions 1.17.1 and 1.16.8 minor point releases.
These minor releases include a security fix according to the new security policy (#44918).
The fix for CVE-2021-33196 can be bypassed by crafted inputs. As a result, the NewReader and OpenReader functions in archive/zip can still cause a panic or an unrecoverable fatal error when reading an archive that claims to contain a large number of files, regardless of its actual size.
This is issue #47801 and CVE-2021-39293.
Thanks to the OSS-Fuzz project for discovering this issue and to Emmanuel Odeke for reporting it.
View the release notes for more information:
You can download binary and source distributions from the Go web site:
To compile from source using a Git clone, update to the release with
"git checkout go1.17.1" and build as usual.
Thanks to everyone who contributed to the releases.
Than, Cherry, and Alex for the Go team