We have just released Go versions 1.19.1 and 1.18.6, minor point releases.
These minor releases include 2 security fixes following the security policy:
net/http: handle server errors after sending GOAWAY
A closing HTTP/2 server connection could hang forever waiting for a clean shutdown that was preempted by a subsequent fatal error. This failure mode could be exploited to cause a denial of service.
Thanks to Bahruz Jabiyev, Tommaso Innocenti, Anthony Gavazzi, Steven Sprecher, and Kaan Onarlioglu for reporting this.
This is CVE-2022-27664 and Go issue https://go.dev/issue/54658.
net/url: JoinPath does not strip relative path components in all circumstances
JoinPath and URL.JoinPath would not remove ../ path components appended to a relative path. For example, JoinPath("https://go.dev", "../go") returned the URL https://go.dev/../go, despite the JoinPath documentation stating that ../ path elements are cleaned from the result.
Thanks to @q0jt for reporting this issue.
This is CVE-2022-32190 and Go issue https://go.dev/issue/54385.
View the release notes for more information:
You can download binary and source distributions from the Go website:
To compile from source using a Git clone, update to the release with
git checkout go1.19.1 and build as usual.
Thanks to everyone who contributed to the releases.
Michael and Heschi for the Go team