[go-nuts] [security] Go 1.22.3 and Go 1.21.10 are released

[Cherry Mui]

Hello gophers,

We have just released Go versions 1.22.3 and 1.21.10, minor point releases.

These minor releases include 2 security fixes following the security policy
:

   -

   cmd/go: arbitrary code execution during build on darwin

   On Darwin, building a Go module which contains CGO can trigger arbitrary
   code execution when using the Apple version of ld, due to usage of the
   -lto_library flag in a "#cgo LDFLAGS" directive.

   Thanks to Juho Forsén of Mattermost for reporting this issue.

   This is CVE-2024-24787 and Go issue https://go.dev/issue/67119.

   -

   net: malformed DNS message can cause infinite loop

   A malformed DNS message in response to a query can cause the Lookup
   functions to get stuck in an infinite loop.

   Thanks to @long-name-let-people-remember-you on GitHub for reporting
   this issue, and to Mateusz Poliwczak for bringing the issue to our
   attention.

   This is CVE-2024-24788 and Go issue https://go.dev/issue/66754.


View the release notes for more information:
https://go.dev/doc/devel/release#go1.22.3

You can download binary and source distributions from the Go website:
https://go.dev/dl/

To compile from source using a Git clone, update to the release with
git checkout go1.22.3 and build as usual.

Thanks to everyone who contributed to the releases.

Cheers,
David, Cherry, and Roland for the Go team

-- 
You received this message because you are subscribed to the Google Groups 
"golang-nuts" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to golang-nuts+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/golang-nuts/CAOW6QtgDRqOdeq2GDxFyOi2fJMej3cv3KF0AxgovkgTMrpVCuw%40mail.gmail.com.

[go-nuts] [security] Go 1.21.1 and Go 1.20.8 are released

[Cherry Mui]

Hello gophers,

We have just released Go versions 1.21.1 and 1.20.8, minor point releases.

These minor releases include 4 security fixes following the security policy:


   -

   cmd/go: go.mod toolchain directive allows arbitrary execution

   The go.mod toolchain directive, introduced in Go 1.21, could be
   leveraged to
   execute scripts and binaries relative to the root of the module when the
   "go"
   command was executed within the module. This applies to modules
   downloaded using
   the "go" command from the module proxy, as well as modules downloaded
   directly
   using VCS software.

   Thanks to Juho Nurminen of Mattermost for reporting this issue.

   This is CVE-2023-39320 and Go issue https://go.dev/issue/62198.

   -

   html/template: improper handling of HTML-like comments within script
   contexts


The html/template package did not properly handle HMTL-like ""

comment tokens, nor hashbang "#!" comment tokens, in 

[go-nuts] [security] Go 1.17.7 and Go 1.16.14 are released

[Cherry Mui]

Hello gophers,

We have just released Go versions 1.17.7 and 1.16.14, minor point releases.

These minor releases include three security fixes following the security
policy :


   - crypto/elliptic: fix IsOnCurve for big.Int values that are not valid
   coordinates

   Some big.Int values that are not valid field elements (negative or
   overflowing)

   might cause Curve.IsOnCurve to incorrectly return true. Operating on
   those values

   may cause a panic or an invalid curve operation. Note that Unmarshal
   will never
   return such values.

   Thanks to Guido Vranken for reporting this.

   This is CVE-2022-23806 and https://go.dev/issue/50974.



   - math/big: prevent large memory consumption in Rat.SetString

   An attacker can cause unbounded memory growth in a program using
   (*Rat).SetString
   due to an unhandled overflow.

   Thanks to the OSS-Fuzz project for discovering this issue and to
   Emmanuel Odeke
   (@odeke_et) for reporting it.

   This is CVE-2022-23772 and Go issue https://go.dev/issue/50699.



   - cmd/go: prevent branches from materializing into versions

   A branch whose name resembles a version tag (such as "v1.0.0" or
   "subdir/v2.0.0-dev")
   can be considered a valid version by the go command. Materializing
   versions from
   branches might be unexpected and bypass ACLs that limit the creation of
   tags but not
   branches.

   This is CVE-2022-23773 and Go issue https://go.dev/issue/35671.


View the release notes for more information:
https://go.dev/doc/devel/release.html#go1.17.minor

You can download binary and source distributions from the Go web site:
https://go.dev/dl/

To compile from source using a Git clone, update to the release with
"git checkout go1.17.7" and build as usual.

Thanks to everyone who contributed to the releases.

Cheers,
Cherry and Alex for the Go team

-- 
You received this message because you are subscribed to the Google Groups 
"golang-nuts" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to golang-nuts+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/golang-nuts/CAOW6QtgCdq5HWWOF2WhPF3tiV6b1pHY%2BFb5UGvJHV6aKpd2nmw%40mail.gmail.com.

[go-nuts] Go 1.18 Beta 1 is released

[Cherry Mui]

Hello gophers,

We have just released go1.18beta1, a beta version of Go 1.18.
It is cut from the master branch at the revision tagged go1.18beta1.

Please try your production load tests and unit tests with the new version.
Your help testing these pre-release versions is invaluable.

Report any problems using the issue tracker:
https://golang.org/issue/new

If you have Go installed already, the easiest way to try go1.18beta1
is by using the go command:
$ go install golang.org/dl/go1.18beta1@latest
$ go1.18beta1 download

You can download binary and source distributions from the usual place:
https://golang.org/dl/#go1.18beta1

To find out what has changed in Go 1.18, read the draft release notes:
https://tip.golang.org/doc/go1.18

Cheers,
Cherry and Alex for the Go Team

-- 
You received this message because you are subscribed to the Google Groups 
"golang-nuts" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to golang-nuts+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/golang-nuts/CAOW6Qth2JW-oVNiiWnoMPXnESigoLxgjbac-dYTmxh-W2YTPYA%40mail.gmail.com.

[go-nuts] Go 1.17 Release Candidate 1 is released

[Cherry Mui]

Hello gophers,

We have just released go1.17rc1, a release candidate version of Go 1.17.
It is cut from release-branch.go1.17 at the revision tagged go1.17rc1.

Please try your production load tests and unit tests with the new version.
Your help testing these pre-release versions is invaluable.

Report any problems using the issue tracker:
https://golang.org/issue/new

If you have Go installed already, the easiest way to try go1.17rc1
is by using the go command:
$ go get golang.org/dl/go1.17rc1
$ go1.17rc1 download

You can download binary and source distributions from the usual place:
https://golang.org/dl/#go1.17rc1

To find out what has changed in Go 1.17, read the draft release notes:
https://tip.golang.org/doc/go1.17

Cheers,
Cherry and Dmitri for the Go team

-- 
You received this message because you are subscribed to the Google Groups 
"golang-nuts" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to golang-nuts+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/golang-nuts/CAOW6Qtj2nGnULqsmhD%3D0i4OEbVmZEfJs6VLdD_vNSiibQaFfSg%40mail.gmail.com.