Hi Go team, It seems that the go1.12.10 and go1.13.1 tags are dangling/missing, it's not possible to do `git checkout go1.12.10` or `git checkout go1.13.1`
https://go.googlesource.com/go/+/refs/heads/release-branch.go1.12 https://github.com/golang/go/commits/release-branch.go1.12 https://go.googlesource.com/go/+/refs/heads/release-branch.go1.13 https://github.com/golang/go/commits/release-branch.go1.13 Le mercredi 25 septembre 2019 23:58:08 UTC+2, Filippo Valsorda a écrit : > > Hi gophers, > > We have just released Go 1.13.1 and Go 1.12.10 to address a recently > reported security issue. We recommend that all affected users update to one > of these releases (if you’re not sure which, choose Go 1.13.1). > > net/http (through net/textproto) used to accept and normalize invalid > HTTP/1.1 headers with a space before the colon, in violation of RFC 7230. > If a Go server is used behind an uncommon reverse proxy that accepts and > forwards but doesn't normalize such invalid headers, the reverse proxy and > the server can interpret the headers differently. This can lead to filter > bypasses or request smuggling > <https://portswigger.net/blog/http-desync-attacks-request-smuggling-reborn>, > the latter if requests from separate clients are multiplexed onto the same > upstream connection by the proxy. Such invalid headers are now rejected by > Go servers, and passed without normalization to Go client applications. > > The issue is CVE-2019-16276 and Go issue golang.org/issue/34540. > > Thanks to Andrew Stucki, Adam Scarr (99designs.com), and Jan Masarik > (masarik.sh) for discovering and reporting this issue. > > Downloads are available at https://golang.org/dl for all supported > platforms. > > Alla prossima, > Filippo on behalf of the Go team > -- You received this message because you are subscribed to the Google Groups "golang-nuts" group. To unsubscribe from this group and stop receiving emails from it, send an email to golang-nuts+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/golang-nuts/fcb080de-798e-40f0-8e68-7b97774832cd%40googlegroups.com.
