Hi gophers, We have just released Go 1.14.5 and Go 1.13.13 to address two recently reported security issues. We recommend that all users update to one of these releases (if you’re not sure which, choose Go 1.14.5).
- Data race in certain net/http servers including ReverseProxy Servers where the Handler concurrently reads the request body and writes a response can encounter a data race and crash. The httputil.ReverseProxy Handler is affected. Thanks to Mikael Manukyan, Andrew Kutz, Dave McClure, Tim Downey, Clay Kauzlaric, and Gabe Rosenhouse for reporting this issue. This issue is CVE-2020-15586 and Go issue golang.org/issue/34902. - X.509 verification ignores provided EKUs on Windows On Windows, if VerifyOptions.Roots <https://pkg.go.dev/crypto/x509?tab=doc#VerifyOptions.Roots> is nil, Certificate.Verify <https://pkg.go.dev/crypto/x509?tab=doc#VerifyOptions.Roots> does not check the EKU requirements specified in VerifyOptions.KeyUsages <https://pkg.go.dev/crypto/x509?tab=doc#VerifyOptions.KeyUsages>. Thanks to Niall Newman for reporting this issue. This issue is CVE-2020-14039 and Go issue golang.org/issue/39360. The upcoming Go 1.15rc1 release will also include the fixes above. We would also like to thank Andy Lindeman, who reported a cross-site scripting vulnerability and a CSP bypass in pkg.go.dev, now fixed. Downloads are available at https://golang.org/dl for all supported platforms. Thank you, Katie and Filippo on behalf of the Go team -- You received this message because you are subscribed to the Google Groups "golang-nuts" group. To unsubscribe from this group and stop receiving emails from it, send an email to golang-nuts+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/golang-nuts/CALvTBvdYO0D-Ri0i_wY-%2BvSPdHa8yGbEwfos4Nu5mZa9YQQrKQ%40mail.gmail.com.
