[security] Go 1.6.3 and 1.7rc2 are released

[Chris Broadfoot]

A security-related issue was recently reported in Go's net/http/cgi package and net/http package when used in a CGI environment. Go 1.6.3 and Go 1.7rc2 will contain a fix for this issue.

Go versions 1.0-1.6.2 and 1.7rc1 are vulnerable to an input validation flaw in the CGI components resulting in the HTTP_PROXY environment variable being set by the incoming Proxy header. This environment variable was also used to set the outgoing proxy, enabling an attacker to insert a proxy into outgoing requests of a CGI program.

This is CVE-2016-5386 and was addressed by this change: https://golang.org/cl/25010, tracked in this issue: https://golang.org/issue/16405

The Go team would like to thank Dominic Scheirlinck for coordinating disclosure of this issue across multiple languages and CGI environments. Read more about "httpoxy" here: https://httpoxy.org/

Go 1.6.3 also adds support for macOS Sierra. See https://golang.org/issue/16354 for details.

Downloads are available at https://golang.org/dl for all supported platforms.

Cheers,

Chris (on behalf of the Go team)

[Sathish VJ]

Not sure if this is a real issue but I noticed it with rc1 also.  Raised a github request here: https://github.com/golang/go/issues/16409

I'm unable to install it on a Mac from .pkg file into any dir except /usr/local/go.

[jonathan...@live.com]

Why are the other changes to be released but not related to this security issue not in rc2?

[Ian Lance Taylor]

On Mon, Jul 18, 2016 at 12:11 PM, <jonathan...@live.com> wrote:
> Why are the other changes to be released but not related to this security
> issue not in rc2?

To which changes are you referring?

Ian

> --
> You received this message because you are subscribed to the Google Groups
> "golang-nuts" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to golang-nuts...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

[jonathan...@live.com]

Specifically this one https://github.com/golang/go/issues/16308 but perhaps there are others.

[jonathan...@live.com]

Or another example https://github.com/golang/go/issues/16333. Its in master but not the release-branch.go1.7.

On Monday, July 18, 2016 at 12:31:13 PM UTC-7, Ian Lance Taylor wrote:

[Ian Lance Taylor]

On Mon, Jul 18, 2016 at 1:09 PM, <jonathan...@live.com> wrote:
> Or another example https://github.com/golang/go/issues/16333. Its in master
> but not the release-branch.go1.7.

Oh, I see. The plan, as discussed at the release meeting at Gophercon
but probably never sent to the list, is to do another real release
candidate later this week. The 1.7rc2 release candidate was just
pushed out for the security fix. For the next release candidate all
the relevant changes (which is probably all the changes except for one
that was committed accidentally and then reverted) will be migrated
from the master branch to the 1.7 branch.

[jonathan...@live.com]

Ah, sounds good. By chance is there an estimated date on that? :D

[Ian Lance Taylor]

On Mon, Jul 18, 2016 at 4:40 PM, <jonathan...@live.com> wrote:
> Ah, sounds good. By chance is there an estimated date on that? :D

Wednesday or Thursday.

[Chris Broadfoot]

The pre-announcement on golang-nuts also reiterated this plan :)