Specifically this one https://github.com/golang/go/issues/16308 but perhaps there are others.
On Monday, July 18, 2016 at 12:31:13 PM UTC-7, Ian Lance Taylor wrote: > > On Mon, Jul 18, 2016 at 12:11 PM, <jonathan...@live.com <javascript:>> > wrote: > > Why are the other changes to be released but not related to this > security > > issue not in rc2? > > To which changes are you referring? > > Ian > > > > On Monday, July 18, 2016 at 9:59:54 AM UTC-7, Chris Broadfoot wrote: > >> > >> A security-related issue was recently reported in Go's net/http/cgi > >> package and net/http package when used in a CGI environment. Go 1.6.3 > and Go > >> 1.7rc2 will contain a fix for this issue. > >> > >> Go versions 1.0-1.6.2 and 1.7rc1 are vulnerable to an input validation > >> flaw in the CGI components resulting in the HTTP_PROXY environment > variable > >> being set by the incoming Proxy header. This environment variable was > also > >> used to set the outgoing proxy, enabling an attacker to insert a proxy > into > >> outgoing requests of a CGI program. > >> This is CVE-2016-5386 and was addressed by this change: > >> https://golang.org/cl/25010, tracked in this issue: > >> https://golang.org/issue/16405 > >> > >> The Go team would like to thank Dominic Scheirlinck for coordinating > >> disclosure of this issue across multiple languages and CGI > environments. > >> Read more about "httpoxy" here: https://httpoxy.org/ > >> > >> Go 1.6.3 also adds support for macOS Sierra. See > >> https://golang.org/issue/16354 for details. > >> > >> Downloads are available at https://golang.org/dl for all supported > >> platforms. > >> > >> Cheers, > >> Chris (on behalf of the Go team) > >> > > -- > > You received this message because you are subscribed to the Google > Groups > > "golang-nuts" group. > > To unsubscribe from this group and stop receiving emails from it, send > an > > email to golang-nuts...@googlegroups.com <javascript:>. > > For more options, visit https://groups.google.com/d/optout. > -- You received this message because you are subscribed to the Google Groups "golang-nuts" group. To unsubscribe from this group and stop receiving emails from it, send an email to golang-nuts+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
