The pre-announcement on golang-nuts also reiterated this plan :) On Jul 18, 2016 5:04 PM, "Ian Lance Taylor" <i...@golang.org> wrote:
> On Mon, Jul 18, 2016 at 4:40 PM, <jonathan.gaill...@live.com> wrote: > > Ah, sounds good. By chance is there an estimated date on that? :D > > Wednesday or Thursday. > > Ian > > > > On Monday, July 18, 2016 at 2:49:54 PM UTC-7, Ian Lance Taylor wrote: > >> > >> On Mon, Jul 18, 2016 at 1:09 PM, <jonathan...@live.com> wrote: > >> > Or another example https://github.com/golang/go/issues/16333. Its in > >> > master > >> > but not the release-branch.go1.7. > >> > >> Oh, I see. The plan, as discussed at the release meeting at Gophercon > >> but probably never sent to the list, is to do another real release > >> candidate later this week. The 1.7rc2 release candidate was just > >> pushed out for the security fix. For the next release candidate all > >> the relevant changes (which is probably all the changes except for one > >> that was committed accidentally and then reverted) will be migrated > >> from the master branch to the 1.7 branch. > >> > >> Ian > >> > >> > On Monday, July 18, 2016 at 12:31:13 PM UTC-7, Ian Lance Taylor wrote: > >> >> > >> >> On Mon, Jul 18, 2016 at 12:11 PM, <jonathan...@live.com> wrote: > >> >> > Why are the other changes to be released but not related to this > >> >> > security > >> >> > issue not in rc2? > >> >> > >> >> To which changes are you referring? > >> >> > >> >> Ian > >> >> > >> >> > >> >> > On Monday, July 18, 2016 at 9:59:54 AM UTC-7, Chris Broadfoot > wrote: > >> >> >> > >> >> >> A security-related issue was recently reported in Go's > net/http/cgi > >> >> >> package and net/http package when used in a CGI environment. Go > >> >> >> 1.6.3 > >> >> >> and Go > >> >> >> 1.7rc2 will contain a fix for this issue. > >> >> >> > >> >> >> Go versions 1.0-1.6.2 and 1.7rc1 are vulnerable to an input > >> >> >> validation > >> >> >> flaw in the CGI components resulting in the HTTP_PROXY environment > >> >> >> variable > >> >> >> being set by the incoming Proxy header. This environment variable > >> >> >> was > >> >> >> also > >> >> >> used to set the outgoing proxy, enabling an attacker to insert a > >> >> >> proxy > >> >> >> into > >> >> >> outgoing requests of a CGI program. > >> >> >> This is CVE-2016-5386 and was addressed by this change: > >> >> >> https://golang.org/cl/25010, tracked in this issue: > >> >> >> https://golang.org/issue/16405 > >> >> >> > >> >> >> The Go team would like to thank Dominic Scheirlinck for > coordinating > >> >> >> disclosure of this issue across multiple languages and CGI > >> >> >> environments. > >> >> >> Read more about "httpoxy" here: https://httpoxy.org/ > >> >> >> > >> >> >> Go 1.6.3 also adds support for macOS Sierra. See > >> >> >> https://golang.org/issue/16354 for details. > >> >> >> > >> >> >> Downloads are available at https://golang.org/dl for all > supported > >> >> >> platforms. > >> >> >> > >> >> >> Cheers, > >> >> >> Chris (on behalf of the Go team) > >> >> >> > >> >> > -- > >> >> > You received this message because you are subscribed to the Google > >> >> > Groups > >> >> > "golang-nuts" group. > >> >> > To unsubscribe from this group and stop receiving emails from it, > >> >> > send > >> >> > an > >> >> > email to golang-nuts...@googlegroups.com. > >> >> > For more options, visit https://groups.google.com/d/optout. > >> > > >> > -- > >> > You received this message because you are subscribed to the Google > >> > Groups > >> > "golang-nuts" group. > >> > To unsubscribe from this group and stop receiving emails from it, send > >> > an > >> > email to golang-nuts...@googlegroups.com. > >> > For more options, visit https://groups.google.com/d/optout. > > > > -- > > You received this message because you are subscribed to the Google Groups > > "golang-nuts" group. > > To unsubscribe from this group and stop receiving emails from it, send an > > email to golang-nuts+unsubscr...@googlegroups.com. > > For more options, visit https://groups.google.com/d/optout. > > -- > You received this message because you are subscribed to the Google Groups > "golang-nuts" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to golang-nuts+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. > -- You received this message because you are subscribed to the Google Groups "golang-nuts" group. To unsubscribe from this group and stop receiving emails from it, send an email to golang-nuts+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
