Re: [go-nuts] [security] Go 1.18.3 and Go 1.17.11 are released

2022-06-01 Thread Dmitri Shuralyov 
Hi Jakob,

The go-gettable golang.org/dl/go1.18.3 command is published and might take 
a moment to propagate.
You can either try again in a short while, or do something like 'go install 
golang.org/dl/go1.18.3@HEAD'.
(The '@HEAD' suffix is one of the ways to explicitly request that 
particular git revision.)

For questions about the Docker images published 
at https://hub.docker.com/_/golang, you'll want to
contact their maintainers linked at the top of the quick reference section. 
It's reasonable to expect
they'll show up soon now that this Go release is published.

Thanks,
Dmitri

On Wednesday, June 1, 2022 at 5:12:53 PM UTC-4 ja...@kastelo.net wrote:

> On 1 Jun 2022, at 22:58, Dmitri Shuralyov  wrote:
>
>
> Hello gophers,
>
> We have just released Go versions 1.18.3 and 1.17.11, minor point releases.
>
> These minor releases include 4 security fixes following the security 
> policy :
>
>
> Hi Dmitry,
>
> Thanks for this and the notification. However, there does not appear to 
> exist a golang:1.18.3 Docker image, or a go-gettable 
> golang.org/dl/go1.18.3 yet. Are those part of the release, do you know 
> when they will be available?
>
> Best regards,
> Jakob
>
>

-- 
You received this message because you are subscribed to the Google Groups 
"golang-nuts" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to golang-nuts+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/golang-nuts/f9c9049a-b919-4d74-b943-8aa12332aab9n%40googlegroups.com.

Re: [go-nuts] [security] Go 1.18.3 and Go 1.17.11 are released

2022-06-01 Thread Jakob Borg 
On 1 Jun 2022, at 22:58, Dmitri Shuralyov 
mailto:dmits...@golang.org>> wrote:

Hello gophers,

We have just released Go versions 1.18.3 and 1.17.11, minor point releases.

These minor releases include 4 security fixes following the security 
policy:

Hi Dmitry,

Thanks for this and the notification. However, there does not appear to exist a 
golang:1.18.3 Docker image, or a go-gettable 
golang.org/dl/go1.18.3 yet. Are those part of 
the release, do you know when they will be available?

Best regards,
Jakob

-- 
You received this message because you are subscribed to the Google Groups 
"golang-nuts" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to golang-nuts+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/golang-nuts/B057D2EF-EC61-4471-9FD9-E454278126D0%40kastelo.net.

[go-nuts] [security] Go 1.18.3 and Go 1.17.11 are released

2022-06-01 Thread Dmitri Shuralyov 
Hello gophers,

We have just released Go versions 1.18.3 and 1.17.11, minor point releases.

These minor releases include 4 security fixes following the security policy
:

   - crypto/rand: rand.Read hangs with extremely large buffers

   On Windows, rand.Read will hang indefinitely if passed a buffer larger
   than 1 << 32 - 1 bytes.

   Thanks to Davis Goodin and Quim Muntal, working at Microsoft on the Go
   toolset, for reporting this issue.

   This is CVE-2022-30634 and Go issue https://go.dev/issue/52561.


   - crypto/tls: session tickets lack random ticket_age_add

   Session tickets generated by crypto/tls did not contain a randomly
   generated ticket_age_add. This allows an attacker that can observe TLS
   handshakes to correlate successive connections by comparing ticket ages
   during session resumption.

   Thanks to GitHub user @nervuri for reporting this.

   This is CVE-2022-30629 and Go issue https://go.dev/issue/52814.


   - os/exec: empty Cmd.Path can result in running unintended binary on
   Windows

   If, on Windows, Cmd.Run, cmd.Start, cmd.Output, or cmd.CombinedOutput
   are executed when Cmd.Path is unset and, in the working directory, there
   are binaries named either "..com" or "..exe", they will be executed.

   Thanks to Chris Darroch (chrisd8...@github.com), brian m. carlson (
   bk2...@github.com), and Mikhail Shcherbakov (https://twitter.com/yu5k3)
   for reporting this.

   This is CVE-2022-30580 and Go issue https://go.dev/issue/52574.


   - path/filepath: Clean(`.\c:`) returns `c:` on Windows

   On Windows, the filepath.Clean function could convert an invalid path to
   a valid, absolute path. For example, Clean(`.\c:`) returned `c:`.

   Thanks to Unrud for reporting this issue.

   This is CVE-2022-29804 and Go issue https://go.dev/issue/52476.

View the release notes for more information:
https://go.dev/doc/devel/release#go1.18.minor

You can download binary and source distributions from the Go web site:
https://go.dev/dl/

To compile from source using a Git clone, update to the release with
"git checkout go1.18.3" and build as usual.

Thanks to everyone who contributed to the releases.

Cheers,
Dmitri and Alex for the Go team

-- 
You received this message because you are subscribed to the Google Groups 
"golang-nuts" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to golang-nuts+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/golang-nuts/CA%2BON-PGhdJhuxrZ_CBmmXyZQTtxZtAT6mV_pi9QMCU%2BNV%2B3zzA%40mail.gmail.com.