Hi gophers, We have just released Go 1.11.3 and Go 1.10.6 to address three recently reported security issues. We recommend that all users update to one of these releases (if you’re not sure which, choose Go 1.11.3).
- cmd/go: remote command execution during "go get -u" The issue is CVE-2018-16873 and Go issue golang.org/issue/29230. See the Go issue for details. Thanks to Etienne Stalmans from the Heroku platform security team for discovering and reporting this issue. - cmd/go: directory traversal in "go get" via curly braces in import paths The issue is CVE-2018-16874 and Go issue golang.org/issue/29231. See the Go issue for details. Thanks to ztz of Tencent Security Platform for discovering and reporting this issue. - crypto/x509: CPU denial of service in chain validation The issue is CVE-2018-16875 and Go issue golang.org/issue/29233. See the Go issue for details. Thanks to Netflix for discovering and reporting this issue. Downloads are available at https://golang.org/dl for all supported platforms. We are aware of a functionality regression in "go get" when executed in GOPATH mode on an import path pattern containing "..." (e.g., "go get github.com/golang/pkg/..."), when downloading packages not already present in the GOPATH workspace. This is issue golang.org/issue/29241. It will be resolved in the next minor patch releases, Go 1.11.4 and Go 1.10.7, which we plan to release soon. We apologize for any disruption. Thank you, Dmitri on behalf of the Go team -- You received this message because you are subscribed to the Google Groups "golang-nuts" group. To unsubscribe from this group and stop receiving emails from it, send an email to golang-nuts+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
