Go 1.16.4 and Go 1.15.12 are released

Skip to first unread message

Carlos Amedee

May 6, 2021, 3:12:57 PM5/6/21
to golan...@googlegroups.com
Hello gophers,

We have just released Go versions 1.16.4 and 1.15.12, minor point releases.

This minor release includes a security fix according to the new security policy (#44918).

ReadRequest and ReadResponse in net/http can hit an unrecoverable panic when reading a very large header (over 7MB on 64-bit architectures, or over 4MB on 32-bit ones). Transport and Client are vulnerable and the program can be made to crash by a malicious server.  Server is not vulnerable by default, but can be if the default max header of 1MB is overridden by setting Server.MaxHeaderBytes to a higher value, in which case the program can be made to crash by a malicious client.

This also affects golang.org/x/net/http2/h2c and HeaderValuesContainsToken in golang.org/x/net/http/httpguts, and is fixed in golang.org/x/n...@v0.0.0-20210428140749-89ef3d95e781.

This is issue #45710 and CVE-2021-31525.

Thanks to Guido Vranken who reported the crash as part of the Ethereum 2.0 bounty program.

View the release notes for more information:

You can download binary and source distributions from the Go web site:

To compile from source using a Git clone, update to the release with
"git checkout go1.16.4" and build as usual.

Thanks to everyone who contributed to the releases.

Heschi and Carlos for the Go team
Reply all
Reply to author
0 new messages