Ah, sounds good. By chance is there an estimated date on that? :D On Monday, July 18, 2016 at 2:49:54 PM UTC-7, Ian Lance Taylor wrote: > > On Mon, Jul 18, 2016 at 1:09 PM, <jonathan...@live.com <javascript:>> > wrote: > > Or another example https://github.com/golang/go/issues/16333. Its in > master > > but not the release-branch.go1.7. > > Oh, I see. The plan, as discussed at the release meeting at Gophercon > but probably never sent to the list, is to do another real release > candidate later this week. The 1.7rc2 release candidate was just > pushed out for the security fix. For the next release candidate all > the relevant changes (which is probably all the changes except for one > that was committed accidentally and then reverted) will be migrated > from the master branch to the 1.7 branch. > > Ian > > > On Monday, July 18, 2016 at 12:31:13 PM UTC-7, Ian Lance Taylor wrote: > >> > >> On Mon, Jul 18, 2016 at 12:11 PM, <jonathan...@live.com> wrote: > >> > Why are the other changes to be released but not related to this > >> > security > >> > issue not in rc2? > >> > >> To which changes are you referring? > >> > >> Ian > >> > >> > >> > On Monday, July 18, 2016 at 9:59:54 AM UTC-7, Chris Broadfoot wrote: > >> >> > >> >> A security-related issue was recently reported in Go's net/http/cgi > >> >> package and net/http package when used in a CGI environment. Go > 1.6.3 > >> >> and Go > >> >> 1.7rc2 will contain a fix for this issue. > >> >> > >> >> Go versions 1.0-1.6.2 and 1.7rc1 are vulnerable to an input > validation > >> >> flaw in the CGI components resulting in the HTTP_PROXY environment > >> >> variable > >> >> being set by the incoming Proxy header. This environment variable > was > >> >> also > >> >> used to set the outgoing proxy, enabling an attacker to insert a > proxy > >> >> into > >> >> outgoing requests of a CGI program. > >> >> This is CVE-2016-5386 and was addressed by this change: > >> >> https://golang.org/cl/25010, tracked in this issue: > >> >> https://golang.org/issue/16405 > >> >> > >> >> The Go team would like to thank Dominic Scheirlinck for coordinating > >> >> disclosure of this issue across multiple languages and CGI > >> >> environments. > >> >> Read more about "httpoxy" here: https://httpoxy.org/ > >> >> > >> >> Go 1.6.3 also adds support for macOS Sierra. See > >> >> https://golang.org/issue/16354 for details. > >> >> > >> >> Downloads are available at https://golang.org/dl for all supported > >> >> platforms. > >> >> > >> >> Cheers, > >> >> Chris (on behalf of the Go team) > >> >> > >> > -- > >> > You received this message because you are subscribed to the Google > >> > Groups > >> > "golang-nuts" group. > >> > To unsubscribe from this group and stop receiving emails from it, > send > >> > an > >> > email to golang-nuts...@googlegroups.com. > >> > For more options, visit https://groups.google.com/d/optout. > > > > -- > > You received this message because you are subscribed to the Google > Groups > > "golang-nuts" group. > > To unsubscribe from this group and stop receiving emails from it, send > an > > email to golang-nuts...@googlegroups.com <javascript:>. > > For more options, visit https://groups.google.com/d/optout. >
-- You received this message because you are subscribed to the Google Groups "golang-nuts" group. To unsubscribe from this group and stop receiving emails from it, send an email to golang-nuts+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
