On Mon, Jul 18, 2016 at 1:09 PM, <jonathan.gaill...@live.com> wrote: > Or another example https://github.com/golang/go/issues/16333. Its in master > but not the release-branch.go1.7.
Oh, I see. The plan, as discussed at the release meeting at Gophercon but probably never sent to the list, is to do another real release candidate later this week. The 1.7rc2 release candidate was just pushed out for the security fix. For the next release candidate all the relevant changes (which is probably all the changes except for one that was committed accidentally and then reverted) will be migrated from the master branch to the 1.7 branch. Ian > On Monday, July 18, 2016 at 12:31:13 PM UTC-7, Ian Lance Taylor wrote: >> >> On Mon, Jul 18, 2016 at 12:11 PM, <jonathan...@live.com> wrote: >> > Why are the other changes to be released but not related to this >> > security >> > issue not in rc2? >> >> To which changes are you referring? >> >> Ian >> >> >> > On Monday, July 18, 2016 at 9:59:54 AM UTC-7, Chris Broadfoot wrote: >> >> >> >> A security-related issue was recently reported in Go's net/http/cgi >> >> package and net/http package when used in a CGI environment. Go 1.6.3 >> >> and Go >> >> 1.7rc2 will contain a fix for this issue. >> >> >> >> Go versions 1.0-1.6.2 and 1.7rc1 are vulnerable to an input validation >> >> flaw in the CGI components resulting in the HTTP_PROXY environment >> >> variable >> >> being set by the incoming Proxy header. This environment variable was >> >> also >> >> used to set the outgoing proxy, enabling an attacker to insert a proxy >> >> into >> >> outgoing requests of a CGI program. >> >> This is CVE-2016-5386 and was addressed by this change: >> >> https://golang.org/cl/25010, tracked in this issue: >> >> https://golang.org/issue/16405 >> >> >> >> The Go team would like to thank Dominic Scheirlinck for coordinating >> >> disclosure of this issue across multiple languages and CGI >> >> environments. >> >> Read more about "httpoxy" here: https://httpoxy.org/ >> >> >> >> Go 1.6.3 also adds support for macOS Sierra. See >> >> https://golang.org/issue/16354 for details. >> >> >> >> Downloads are available at https://golang.org/dl for all supported >> >> platforms. >> >> >> >> Cheers, >> >> Chris (on behalf of the Go team) >> >> >> > -- >> > You received this message because you are subscribed to the Google >> > Groups >> > "golang-nuts" group. >> > To unsubscribe from this group and stop receiving emails from it, send >> > an >> > email to golang-nuts...@googlegroups.com. >> > For more options, visit https://groups.google.com/d/optout. > > -- > You received this message because you are subscribed to the Google Groups > "golang-nuts" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to golang-nuts+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. -- You received this message because you are subscribed to the Google Groups "golang-nuts" group. To unsubscribe from this group and stop receiving emails from it, send an email to golang-nuts+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
