Two security-related issues were recently reported, and to address these 
issues we have just released Go 1.6.4 and Go 1.7.4.

We recommend that all users update to one of these releases (if you're not 
sure which, choose Go 1.7.4).

The issues addressed by these releases are:

On Darwin, user's trust preferences for root certificates were not honored. 
If the user had a root certificate loaded in their Keychain that was 
explicitly not trusted, a Go program would still verify a connection using 
that root certificate.
This is addressed by, tracked in
Thanks to Xy Ziemba for identifying and reporting this issue.

The net/http package's Request.ParseMultipartForm method starts writing to 
temporary files once the request body size surpasses the given "maxMemory" 
limit. It was possible for an attacker to generate a multipart request 
crafted such that the server ran out of file descriptors.
This is addressed by, tracked in
Thanks to Simon Rawet for the report.

Downloads are available at for all supported 

You received this message because you are subscribed to the Google Groups 
"golang-nuts" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
For more options, visit

Reply via email to