[go-nuts] An update of golang.org/x/crypto/ssh might be necessary

2022-03-15 Thread Filippo Valsorda
Hello gophers, Version v0.0.0-20220315160706-3147a52a75dd of golang.org/x/crypto/ssh implements client authentication support for signature algorithms based on SHA-2 for use with existing RSA keys. Previously, a client would fail to authenticate with RSA keys to servers that reject signature

[go-nuts] [security] Go 1.16.6 and Go 1.15.14 pre-announcement

2021-07-07 Thread Filippo Valsorda
Hello gophers, We plan to issue Go 1.16.6 and Go 1.15.14 on Monday, July 12. These are minor releases that include security fixes to the standard library. Following our new security policy , this is the pre-announcement of those releases. Alla prossima, Filippo

[go-nuts] [security] Vulnerability in golang.org/x/net/html

2021-05-20 Thread Filippo Valsorda
Hello gophers, Version v0.0.0-20210520170846-37e1c6afe023 of golang.org/x/net fixes a vulnerability in the golang.org/x/net/html package which could cause a denial of service. An attacker can craft an input to ParseFragment that would cause it to enter an infinite loop and never return. This

Re: [go-nuts] Minisign for x/crypto

2020-12-01 Thread Filippo Valsorda
Hi Peter, There is already github.com/jedisct1/go-minisign from the minisgn author, so I don't think this needs to live in x/crypto. Cheers, Filippo On Wed, Nov 18, 2020 at 3:01 AM Ian Lance Taylor wrote: > [ + Filippo ] > > On Tue, Nov 17, 2020 at 12:56 PM 'Péter Szilágyi' via golang-nuts >

[go-nuts] [security] Go 1.15.1 and Go 1.14.8 are released

2020-09-01 Thread Filippo Valsorda
Hi gophers, We have just released Go 1.15.1 and Go 1.14.8 to address a recently reported security issue. We recommend that all affected users update to one of these releases (if you’re not sure which, choose Go 1.15.1). When a Handler does not explicitly set the Content-Type header, the

Re: [go-nuts] What version of BoringCrypto is used in the dev.boringcrypto branch?

2020-04-07 Thread Filippo Valsorda
On Mon, Apr 6, 2020 at 5:45 PM Ian Lance Taylor wrote: > [ + filippo ] > > On Mon, Apr 6, 2020 at 2:00 PM ancientlore wrote: > > > > Hi, we’re needing to use FIPS-validated crypto in a particular > deployment. It looks like the dev.boringcrypto branch would meet our needs > well. But I’m

[go-nuts] [security] Vulnerability in golang.org/x/crypto/ssh

2020-02-20 Thread Filippo Valsorda
Hello gophers, Version v0.0.0-20200220183623-bac4c82f6975 of golang.org/x/crypto fixes a vulnerability in the golang.org/x/crypto/ssh package which allowed peers to cause a panic in SSH servers that accept public keys and in any SSH client. An attacker can craft an ssh-ed25519 or

[go-nuts] [security] golang.org/x/crypto/ssh fix pre-announcement

2020-02-18 Thread Filippo Valsorda
Hello gophers, We plan to issue a security fix for the golang.org/x/crypto/ssh package in the golang.org/x/crypto module on Thursday, February 20th. Cheers, Filippo for the Go team -- You received this message because you are subscribed to the Google Groups "golang-nuts" group. To unsubscribe

[go-nuts] [security] Go 1.13.1 and Go 1.12.10 are released

2019-09-25 Thread Filippo Valsorda
Hi gophers, We have just released Go 1.13.1 and Go 1.12.10 to address a recently reported security issue. We recommend that all affected users update to one of these releases (if you’re not sure which, choose Go 1.13.1). net/http (through net/textproto) used to accept and normalize invalid

[go-nuts] [security] Go 1.12.10 and Go 1.13.1 pre-announcement

2019-09-20 Thread Filippo Valsorda
Hello gophers, We plan to issue Go 1.12.10 and Go 1.13.1 on Wednesday, September 25. These are minor releases to fix a security issue. Following our policy at https://golang.org/security, this is the pre-announcement of those releases. Cheers, Filippo on behalf of the Go team -- You received

[go-nuts] [security] Go 1.11.13 and Go 1.12.8 pre-announcement

2019-08-09 Thread 'Filippo Valsorda' via golang-nuts
Hello gophers, We plan to issue Go 1.11.13 and Go 1.12.8 on Tuesday, August 13. These are minor releases to fix multiple security issues. Following our policy at https://golang.org/security, this is the pre-announcement of those releases. Cheers, Filippo on behalf of the Go team -- You

[go-nuts] [security] Go 1.11.13 and Go 1.12.8 pre-announcement

2019-08-09 Thread Filippo Valsorda
Hello gophers, We plan to issue Go 1.11.13 and Go 1.12.8 on Tuesday, August 13. These are minor releases to fix multiple security issues. Following our policy at https://golang.org/security, this is the pre-announcement of those releases. Cheers, Filippo on behalf of the Go team -- You

[go-nuts] [security] Vulnerability in golang.org/x/crypto/salsa20

2019-03-20 Thread Filippo Valsorda
Hello gophers, Commit b7391e95 fixes a vulnerability in the amd64 implementation of the golang.org/x/crypto/salsa20 and golang.org/x/crypto/salsa20/salsa packages that affects large message sizes or high counter

[go-nuts] Go 1.12 Beta 1 is released

2018-12-18 Thread Filippo Valsorda
Hello gophers, We have just released go1.12beta1, a beta version of Go 1.12. It is cut from the master branch at the revision tagged go1.12beta1. Please try your production load tests and unit tests with the new version. Your help testing these pre-release versions is invaluable. Report any

[go-nuts] Go 1.11.4 and Go 1.10.7 are released

2018-12-14 Thread Filippo Valsorda
Hello gophers, We have just released Go versions 1.11.4 and 1.10.7, minor point releases. These releases include fixes to cgo, the compiler, linker, runtime, documentation, go command, and the net/http and go/types packages. They include a fix to a bug introduced in Go 1.11.3 and Go 1.10.6 that