[go-nuts] Re: [golang-dev] Re: [security] Go 1.11.5 and Go 1.10.8 are released
Got it, thanks. On Wed, Jan 23, 2019 at 6:41 PM Julie Qiu wrote: > > We will not be updating the archives for this release. The reason is because > these directories do not affect functionality, and we do not want to risk the > availability of the security release, nor we want to change the contents of > already published archives. > > Julie > > On Wed, Jan 23, 2019 at 8:00 PM andrey mirtchovski > wrote: >> >> sorry to be a bother, but are you publishing new archives? will you >> publish new hashes for the archives with the commands executed thusly? >> >> On Wed, Jan 23, 2019 at 5:12 PM Julie Qiu wrote: >> > >> > Hello gophers, >> > >> > Due to an issue with the release tooling (https://golang.org/issue/29906), >> > go1.11.5.linux-amd64.tar.gz and go1.10.8.linux-amd64.tar.gz include two >> > unnecessary directories in the root of the archive: "gocache" and "tmp". >> > >> > They are harmless and safe to remove. >> > >> > The following commands can be used to extract only the necessary “go” >> > directory from the archives: >> > >> > tar -C /usr/local -xzf go1.11.5.linux-amd64.tar.gz go >> > tar -C /usr/local -xzf go1.10.8.linux-amd64.tar.gz go >> > >> > >> > These commands will create a Go tree in /usr/local/go. >> > >> > Sorry for the inconvenience, >> > Julie (on behalf of the Go team) >> > >> > On Wed, Jan 23, 2019 at 4:53 PM Julie Qiu wrote: >> >> >> >> Hi gophers, >> >> >> >> We have just released Go 1.11.5 and Go 1.10.8 to address a recently >> >> reported security issue. We recommend that all users update to one of >> >> these releases (if you’re not sure which, choose Go 1.11.5). >> >> >> >> This DoS vulnerability in the crypto/elliptic implementations of the >> >> P-521 and P-384 elliptic curves may let an attacker craft inputs that >> >> consume excessive amounts of CPU. >> >> >> >> These inputs might be delivered via TLS handshakes, X.509 certificates, >> >> JWT tokens, ECDH shares or ECDSA signatures. In some cases, if an ECDH >> >> private key is reused more than once, the attack can also lead to key >> >> recovery. >> >> >> >> The issue is CVE-2019-6486 and Go issue golang.org/issue/29903. See the >> >> Go issue for more details. >> >> >> >> Downloads are available at https://golang.org/dl for all supported >> >> platforms. >> >> >> >> Cheers, >> >> >> >> Julie (on behalf of the Go team) >> > >> > -- >> > You received this message because you are subscribed to the Google Groups >> > "golang-dev" group. >> > To unsubscribe from this group and stop receiving emails from it, send an >> > email to golang-dev+unsubscr...@googlegroups.com. >> > For more options, visit https://groups.google.com/d/optout. -- You received this message because you are subscribed to the Google Groups "golang-nuts" group. To unsubscribe from this group and stop receiving emails from it, send an email to golang-nuts+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[go-nuts] Re: [golang-dev] Re: [security] Go 1.11.5 and Go 1.10.8 are released
We will not be updating the archives for this release. The reason is because these directories do not affect functionality, and we do not want to risk the availability of the security release, nor we want to change the contents of already published archives. Julie On Wed, Jan 23, 2019 at 8:00 PM andrey mirtchovski wrote: > sorry to be a bother, but are you publishing new archives? will you > publish new hashes for the archives with the commands executed thusly? > > On Wed, Jan 23, 2019 at 5:12 PM Julie Qiu wrote: > > > > Hello gophers, > > > > Due to an issue with the release tooling (https://golang.org/issue/29906), > go1.11.5.linux-amd64.tar.gz and go1.10.8.linux-amd64.tar.gz include two > unnecessary directories in the root of the archive: "gocache" and "tmp". > > > > They are harmless and safe to remove. > > > > The following commands can be used to extract only the necessary “go” > directory from the archives: > > > > tar -C /usr/local -xzf go1.11.5.linux-amd64.tar.gz go > > tar -C /usr/local -xzf go1.10.8.linux-amd64.tar.gz go > > > > > > These commands will create a Go tree in /usr/local/go. > > > > Sorry for the inconvenience, > > Julie (on behalf of the Go team) > > > > On Wed, Jan 23, 2019 at 4:53 PM Julie Qiu wrote: > >> > >> Hi gophers, > >> > >> We have just released Go 1.11.5 and Go 1.10.8 to address a recently > reported security issue. We recommend that all users update to one of these > releases (if you’re not sure which, choose Go 1.11.5). > >> > >> This DoS vulnerability in the crypto/elliptic implementations of the > P-521 and P-384 elliptic curves may let an attacker craft inputs that > consume excessive amounts of CPU. > >> > >> These inputs might be delivered via TLS handshakes, X.509 certificates, > JWT tokens, ECDH shares or ECDSA signatures. In some cases, if an ECDH > private key is reused more than once, the attack can also lead to key > recovery. > >> > >> The issue is CVE-2019-6486 and Go issue golang.org/issue/29903. See > the Go issue for more details. > >> > >> Downloads are available at https://golang.org/dl for all supported > platforms. > >> > >> Cheers, > >> > >> Julie (on behalf of the Go team) > > > > -- > > You received this message because you are subscribed to the Google > Groups "golang-dev" group. > > To unsubscribe from this group and stop receiving emails from it, send > an email to golang-dev+unsubscr...@googlegroups.com. > > For more options, visit https://groups.google.com/d/optout. > -- You received this message because you are subscribed to the Google Groups "golang-nuts" group. To unsubscribe from this group and stop receiving emails from it, send an email to golang-nuts+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[go-nuts] Re: [golang-dev] Re: [security] Go 1.11.5 and Go 1.10.8 are released
sorry to be a bother, but are you publishing new archives? will you publish new hashes for the archives with the commands executed thusly? On Wed, Jan 23, 2019 at 5:12 PM Julie Qiu wrote: > > Hello gophers, > > Due to an issue with the release tooling (https://golang.org/issue/29906), > go1.11.5.linux-amd64.tar.gz and go1.10.8.linux-amd64.tar.gz include two > unnecessary directories in the root of the archive: "gocache" and "tmp". > > They are harmless and safe to remove. > > The following commands can be used to extract only the necessary “go” > directory from the archives: > > tar -C /usr/local -xzf go1.11.5.linux-amd64.tar.gz go > tar -C /usr/local -xzf go1.10.8.linux-amd64.tar.gz go > > > These commands will create a Go tree in /usr/local/go. > > Sorry for the inconvenience, > Julie (on behalf of the Go team) > > On Wed, Jan 23, 2019 at 4:53 PM Julie Qiu wrote: >> >> Hi gophers, >> >> We have just released Go 1.11.5 and Go 1.10.8 to address a recently reported >> security issue. We recommend that all users update to one of these releases >> (if you’re not sure which, choose Go 1.11.5). >> >> This DoS vulnerability in the crypto/elliptic implementations of the P-521 >> and P-384 elliptic curves may let an attacker craft inputs that consume >> excessive amounts of CPU. >> >> These inputs might be delivered via TLS handshakes, X.509 certificates, JWT >> tokens, ECDH shares or ECDSA signatures. In some cases, if an ECDH private >> key is reused more than once, the attack can also lead to key recovery. >> >> The issue is CVE-2019-6486 and Go issue golang.org/issue/29903. See the Go >> issue for more details. >> >> Downloads are available at https://golang.org/dl for all supported platforms. >> >> Cheers, >> >> Julie (on behalf of the Go team) > > -- > You received this message because you are subscribed to the Google Groups > "golang-dev" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to golang-dev+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. -- You received this message because you are subscribed to the Google Groups "golang-nuts" group. To unsubscribe from this group and stop receiving emails from it, send an email to golang-nuts+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
