On Mon, Jul 18, 2016 at 4:40 PM, <jonathan.gaill...@live.com> wrote: > Ah, sounds good. By chance is there an estimated date on that? :D
Wednesday or Thursday. Ian > On Monday, July 18, 2016 at 2:49:54 PM UTC-7, Ian Lance Taylor wrote: >> >> On Mon, Jul 18, 2016 at 1:09 PM, <jonathan...@live.com> wrote: >> > Or another example https://github.com/golang/go/issues/16333. Its in >> > master >> > but not the release-branch.go1.7. >> >> Oh, I see. The plan, as discussed at the release meeting at Gophercon >> but probably never sent to the list, is to do another real release >> candidate later this week. The 1.7rc2 release candidate was just >> pushed out for the security fix. For the next release candidate all >> the relevant changes (which is probably all the changes except for one >> that was committed accidentally and then reverted) will be migrated >> from the master branch to the 1.7 branch. >> >> Ian >> >> > On Monday, July 18, 2016 at 12:31:13 PM UTC-7, Ian Lance Taylor wrote: >> >> >> >> On Mon, Jul 18, 2016 at 12:11 PM, <jonathan...@live.com> wrote: >> >> > Why are the other changes to be released but not related to this >> >> > security >> >> > issue not in rc2? >> >> >> >> To which changes are you referring? >> >> >> >> Ian >> >> >> >> >> >> > On Monday, July 18, 2016 at 9:59:54 AM UTC-7, Chris Broadfoot wrote: >> >> >> >> >> >> A security-related issue was recently reported in Go's net/http/cgi >> >> >> package and net/http package when used in a CGI environment. Go >> >> >> 1.6.3 >> >> >> and Go >> >> >> 1.7rc2 will contain a fix for this issue. >> >> >> >> >> >> Go versions 1.0-1.6.2 and 1.7rc1 are vulnerable to an input >> >> >> validation >> >> >> flaw in the CGI components resulting in the HTTP_PROXY environment >> >> >> variable >> >> >> being set by the incoming Proxy header. This environment variable >> >> >> was >> >> >> also >> >> >> used to set the outgoing proxy, enabling an attacker to insert a >> >> >> proxy >> >> >> into >> >> >> outgoing requests of a CGI program. >> >> >> This is CVE-2016-5386 and was addressed by this change: >> >> >> https://golang.org/cl/25010, tracked in this issue: >> >> >> https://golang.org/issue/16405 >> >> >> >> >> >> The Go team would like to thank Dominic Scheirlinck for coordinating >> >> >> disclosure of this issue across multiple languages and CGI >> >> >> environments. >> >> >> Read more about "httpoxy" here: https://httpoxy.org/ >> >> >> >> >> >> Go 1.6.3 also adds support for macOS Sierra. See >> >> >> https://golang.org/issue/16354 for details. >> >> >> >> >> >> Downloads are available at https://golang.org/dl for all supported >> >> >> platforms. >> >> >> >> >> >> Cheers, >> >> >> Chris (on behalf of the Go team) >> >> >> >> >> > -- >> >> > You received this message because you are subscribed to the Google >> >> > Groups >> >> > "golang-nuts" group. >> >> > To unsubscribe from this group and stop receiving emails from it, >> >> > send >> >> > an >> >> > email to golang-nuts...@googlegroups.com. >> >> > For more options, visit https://groups.google.com/d/optout. >> > >> > -- >> > You received this message because you are subscribed to the Google >> > Groups >> > "golang-nuts" group. >> > To unsubscribe from this group and stop receiving emails from it, send >> > an >> > email to golang-nuts...@googlegroups.com. >> > For more options, visit https://groups.google.com/d/optout. > > -- > You received this message because you are subscribed to the Google Groups > "golang-nuts" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to golang-nuts+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. -- You received this message because you are subscribed to the Google Groups "golang-nuts" group. To unsubscribe from this group and stop receiving emails from it, send an email to golang-nuts+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
