[security] Go 1.17.5 and Go 1.16.12 are released

5578 views
Skip to first unread message

Alex Rakoczy

unread,
Dec 9, 2021, 10:09:33 AM12/9/21
to golan...@googlegroups.com
Hello gophers,

We have just released Go versions 1.17.5 and 1.16.12, minor point releases.

These minor releases include two security fixes following the security policy:
  • net/http: limit growth of header canonicalization cache

    An attacker can cause unbounded memory growth in a Go server accepting HTTP/2 requests.
For users who cannot immediately update to the new release, setting the GODEBUG=http2server=0 environment variable before calling Serve will disable HTTP/2 unless it was manually configured through the golang.org/x/net/http2 package.

This issue is also fixed in golang.org/x/net/http2 v0.0.0-20211209124913-491a49abca63, for users manually configuring HTTP/2.

Thank you to murakmii for reporting this issue.

This is CVE-2021-44716 and Go issue go.dev/issue/50058.
  • syscall: don’t close fd 0 on ForkExec error

    When a Go program running on a Unix system is out of file descriptors and calls syscall.ForkExec (including indirectly by using the os/exec package), syscall.ForkExec can close file descriptor 0 as it fails. If this happens (or can be provoked) repeatedly, it can result in misdirected I/O such as writing network traffic intended for one connection to a different connection, or content intended for one file to a different one.

    For users who cannot immediately update to the new release, the bug can be mitigated by raising the per-process file descriptor limit.

    Thank you to Tomasz Maczukin and Kamil Trzciński of GitLab for reporting this issue.

    This is CVE-2021-44717 and Go issue go.dev/issue/50057.
View the release notes for more information:
    https://golang.org/doc/devel/release.html#go1.17.minor

You can download binary and source distributions from the Go web site:
    https://golang.org/dl/

To compile from source using a Git clone, update to the release with
"git checkout go1.17.5" and build as usual.

Thanks to everyone who contributed to the releases.

Cheers,
Alex and Filippo for the Go team
Reply all
Reply to author
Forward
0 new messages