Hello gophers, We have just released Go versions 1.17.7 and 1.16.14, minor point releases.
These minor releases include three security fixes following the security policy <https://go.dev/security>: - crypto/elliptic: fix IsOnCurve for big.Int values that are not valid coordinates Some big.Int values that are not valid field elements (negative or overflowing) might cause Curve.IsOnCurve to incorrectly return true. Operating on those values may cause a panic or an invalid curve operation. Note that Unmarshal will never return such values. Thanks to Guido Vranken for reporting this. This is CVE-2022-23806 and https://go.dev/issue/50974. - math/big: prevent large memory consumption in Rat.SetString An attacker can cause unbounded memory growth in a program using (*Rat).SetString due to an unhandled overflow. Thanks to the OSS-Fuzz project for discovering this issue and to Emmanuel Odeke (@odeke_et) for reporting it. This is CVE-2022-23772 and Go issue https://go.dev/issue/50699. - cmd/go: prevent branches from materializing into versions A branch whose name resembles a version tag (such as "v1.0.0" or "subdir/v2.0.0-dev") can be considered a valid version by the go command. Materializing versions from branches might be unexpected and bypass ACLs that limit the creation of tags but not branches. This is CVE-2022-23773 and Go issue https://go.dev/issue/35671. View the release notes for more information: https://go.dev/doc/devel/release.html#go1.17.minor You can download binary and source distributions from the Go web site: https://go.dev/dl/ To compile from source using a Git clone, update to the release with "git checkout go1.17.7" and build as usual. Thanks to everyone who contributed to the releases. Cheers, Cherry and Alex for the Go team -- You received this message because you are subscribed to the Google Groups "golang-nuts" group. To unsubscribe from this group and stop receiving emails from it, send an email to golang-nuts+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/golang-nuts/CAOW6QtgCdq5HWWOF2WhPF3tiV6b1pHY%2BFb5UGvJHV6aKpd2nmw%40mail.gmail.com.