We have just released Go versions 1.18.1 and 1.17.9, minor point releases.
These minor releases include three security fixes following the security policy:
- encoding/pem: fix stack overflow in Decode
A large (more than 5 MB) PEM input can cause a stack overflow in Decode, leading the program to crash.
Thanks to Juho Nurminen of Mattermost who reported the error.
This is CVE-2022-24675 and https://go.dev/issue/51853.
- crypto/elliptic: tolerate all oversized scalars in generic P-256
A crafted scalar input longer than 32 bytes can cause P256().ScalarMult or P256().ScalarBaseMult to panic. Indirect uses through crypto/ecdsa and crypto/tls are unaffected. amd64, arm64, ppc64le, and s390x are unaffected.
This was discovered thanks to a Project Wycheproof test vector.
This is CVE-2022-28327 and https://go.dev/issue/52075.
- crypto/x509: non-compliant certificates can cause a panic in Verify on macOS in Go 1.18
Verifying certificate chains containing certificates which are not compliant with RFC 5280 causes Certificate.Verify to panic on macOS.
These chains can be delivered through TLS and can cause a crypto/tls or net/http client to crash.
Thanks to Tailscale for doing weird things and finding this.
This is CVE-2022-27536 and https://go.dev/issue/51759.
View the release notes for more information: https://go.dev/doc/devel/release#go1.18.minor
You can download binary and source distributions from the Go web site: https://go.dev/dl/
macOS binary artifacts for Go 1.18.1 are not available at this time due to an issue
We are working on providing them as soon as possible. Sorry for the inconvenience.
To compile from source using a Git clone, update to the release with
"git checkout go1.18.1" and build as usual.
Thanks to everyone who contributed to the releases.
Dmitri and Cherry for the Go team