I updated my release related resources: - Go Release Timeline <https://pocketgophers.com/go-release-timeline/> - When Should You Upgrade Go? <https://pocketgophers.com/when-should-you-upgrade-go/> Hope the community finds them useful.
Nathan On Wednesday, October 4, 2017 at 10:35:07 PM UTC+2, Chris Broadfoot wrote: > > Hi gophers, > > Two security-related issues were recently reported. > To address this issue, we have just released Go 1.8.4 and Go 1.9.1. > > We recommend that all users update to one of these releases (if you're not > sure which, choose Go 1.9.1). > > The issues addressed by these releases are: > > By nesting a git checkout inside another version control repository, it > was possible for an attacker to trick the “go get” command into executing > arbitrary code. The go command now refuses to use version control checkouts > found inside other version control systems, with an exception for git > submodules (git inside git). > The issue is tracked as https://golang.org/issue/22125 (Go 1.8.4) and > https://golang.org/issue/22131 (Go 1.9.1). Fixes are linked from the > issues. > Thanks to Simon Rawet for the report. > > In the smtp package, PlainAuth is documented as sending credentials only > over authenticated, encrypted TLS connections, but it was changed in Go 1.1 > to also send credentials on non-TLS connections when the remote server > advertises that PLAIN authentication is supported. The change was meant to > allow use of PLAIN authentication on localhost, but it has the effect of > allowing a man-in-the-middle attacker to harvest credentials. PlainAuth now > requires either TLS or a localhost connection before sending credentials, > regardless of what the remote server claims. > This issue is tracked as https://golang.org/issue/22134 (Go 1.8.4) and > https://golang.org/issue/22133 (Go 1.9.1). Fixes are linked from the > issues. > Thanks to Stevie Johnstone for the report. > > Downloads are available at https://golang.org/dl for all supported > platforms. > > Cheers, > Chris (on behalf of the Go team) > > -- You received this message because you are subscribed to the Google Groups "golang-nuts" group. To unsubscribe from this group and stop receiving emails from it, send an email to golang-nuts+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
