[security] Go 1.7.4 and Go 1.6.4 are released
898 views
Skip to first unread message
Chris Broadfoot
Dec 1, 2016, 4:54:48 PM12/1/16
to golang-dev
Two security-related issues were recently reported, and to address these issues we have just released Go 1.6.4 and Go 1.7.4.
We recommend that all users update to one of these releases (if you're not sure which, choose Go 1.7.4).
The issues addressed by these releases are:
On Darwin, user's trust preferences for root certificates were not honored. If the user had a root certificate loaded in their Keychain that was explicitly not trusted, a Go program would still verify a connection using that root certificate.
This is addressed by https://golang.org/cl/33721, tracked in https://golang.org/issue/18141.
Thanks to Xy Ziemba for identifying and reporting this issue.
The net/http package's Request.ParseMultipartForm method starts writing to temporary files once the request body size surpasses the given "maxMemory" limit. It was possible for an attacker to generate a multipart request crafted such that the server ran out of file descriptors.
This is addressed by https://golang.org/cl/30410, tracked in https://golang.org/issue/17965.
Thanks to Simon Rawet for the report.
Downloads are available at https://golang.org/dl for all supported platforms.
Chris Broadfoot
Dec 1, 2016, 5:20:50 PM12/1/16
to golang-dev
Quick update: go1.7.4 was tagged with the wrong commit.
It has been updated from:
go1.7.4 0ad8bf4122de7396f771ed12f86934ea3177d6cf
to
go1.7.4 6b36535cf382bce845dd2d272276e7ba350b0c6b
If you built from the go1.7.4 tag at 0ad8b, the version will be incorrectly reported as "go1.7.3".
The binaries hosted at https://golang.org/dl are unaffected.
Jakub Cajka
Dec 2, 2016, 10:47:57 AM12/2/16
to Chris Broadfoot, golang-dev
were CVEs assigned to these vulnerabilities? Are they still embargoed? as I can't find any.
Thanks,
JC
> --
> You received this message because you are subscribed to the Google Groups
> "golang-dev" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to golang-dev+...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
>
Russ Cox
Dec 2, 2016, 10:57:44 AM12/2/16
to Jakub Cajka, Chris Broadfoot, golang-dev
I believe we did not request CVEs for these vulnerabilities.
Russ
ksei...@redhat.com
Jan 30, 2017, 12:13:43 PM1/30/17
to golang-dev
Can you please get CVEs for these issues? thanks.
ksei...@redhat.com
Jul 27, 2017, 5:19:50 PM7/27/17
to golang-dev
Reply all
Reply to author
Forward
0 new messages