We have just released Go versions 1.19.3 and 1.18.8, minor point releases.
These minor releases include 1 security fixes following the security policy:
syscall, os/exec: unsanitized NUL in environment variables
On Windows, syscall.StartProcess and os/exec.Cmd did not properly check for invalid environment variable values. A malicious environment variable value could exploit this behavior to set a value for a different environment variable. For example, the environment variable string "A=B\x00C=D" set the variables "A=B" and "C=D".
Thanks to RyotaK (https://twitter.com/ryotkak) for reporting this issue.
This is CVE-2022-41716 and Go issue https://go.dev/issue/56284.
View the release notes for more information:
You can download binary and source distributions from the Go website:
To compile from source using a Git clone, update to the release with
git checkout go1.19.3 and build as usual.
Thanks to everyone who contributed to the releases.
Matthew and Heschi for the Go team