[security] Go 1.19.3 and Go 1.18.8 pre-announcement

1,596 views
Skip to first unread message

anno...@golang.org

unread,
Oct 26, 2022, 3:17:50 PM10/26/22
to golan...@googlegroups.com

Hello gophers,

We plan to issue Go 1.19.3 and Go 1.18.8 on Tuesday, November 1.

These minor releases include PRIVATE security fixes to the standard library.

Following our security policy, this is the pre-announcement of those releases.

Thanks,
Tatiana and Heschi for the Go team

Jan Schaumann

unread,
Oct 29, 2022, 7:14:50 PM10/29/22
to golang-nuts
Would it be possible for the Golang team to say whether this update is related to the OpenSSL vulnerability to be announced on the same day?

Knowing this would help a lot of people plan and prioritize their defensive actions on that day.

Ian Lance Taylor

unread,
Oct 29, 2022, 7:53:22 PM10/29/22
to Jan Schaumann, golang-nuts
On Sat, Oct 29, 2022 at 4:14 PM 'Jan Schaumann' via golang-nuts
<golan...@googlegroups.com> wrote:
>
> Would it be possible for the Golang team to say whether this update is related to the OpenSSL vulnerability to be announced on the same day?
>
> Knowing this would help a lot of people plan and prioritize their defensive actions on that day.

While I do not myself know what vulnerabilities are leading to the
minor Go releases, I have been told that they are not related to the
OpenSSL vulnerability.

Ian


> On Wednesday, October 26, 2022 at 3:17:50 PM UTC-4 anno...@golang.org wrote:
>>
>> Hello gophers,
>>
>> We plan to issue Go 1.19.3 and Go 1.18.8 on Tuesday, November 1.
>>
>> These minor releases include PRIVATE security fixes to the standard library.
>>
>> Following our security policy, this is the pre-announcement of those releases.
>>
>> Thanks,
>> Tatiana and Heschi for the Go team
>
> --
> You received this message because you are subscribed to the Google Groups "golang-nuts" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to golang-nuts...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/golang-nuts/51a14567-1886-40ef-bb0f-0723427deef8n%40googlegroups.com.

Thomas Frössman

unread,
Oct 30, 2022, 4:29:57 PM10/30/22
to anno...@golang.org, golan...@googlegroups.com
Would it be possible to get narrower time windows for these security releases? 

A  date without a specified time zone is a span of 48 hours which is impossible for me to plan for. I can't stay up all night or reasonably ask them from others just in case a Go security fix happens to drop at any time on a date.

A window of maybe 4 hours in a specified time zone (UTC) would make it possible for me to actually be ready to check for these releases when they drop.

--
You received this message because you are subscribed to the Google Groups "golang-announce" group.
To unsubscribe from this group and stop receiving emails from it, send an email to golang-announ...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/golang-announce/SqV2R4AQQTOjO-b9c0RHQA%40geopod-ismtpd-2-3.


--
Thomas Frössman
Reply all
Reply to author
Forward
0 new messages