Hello gophers, We have just released Go versions 1.24.3 and 1.23.9, minor point releases.
The Go 1.24.3 minor release includes 1 security fix following the security policy <https://go.dev/security>: - os: Root permits access to parent directory It was possible to improperly access the parent directory of an os.Root by opening a filename ending in "../". For example, Root.Open("../") would open the parent directory of the Root. This escape only permits opening the parent directory itself, not ancestors of the parent or files contained within the parent. Root now correctly returns an error in this case. This is CVE-2025-22873 and Go issue https://go.dev/issue/73555. Thanks to Dan Sebastian Thrane of SDU eScience Center for reporting this issue. This security fix only applies to Go 1.24.x releases. Go 1.23.x releases are not affected by this. View the release notes for more information: https://go.dev/doc/devel/release#go1.24.3 You can download binary and source distributions from the Go website: https://go.dev/dl/ To compile from source using a Git clone, update to the release with git checkout go1.24.3 and build as usual. Thanks to everyone who contributed to the releases. Cheers, Cherry and Carlos for the Go team -- You received this message because you are subscribed to the Google Groups "golang-nuts" group. To unsubscribe from this group and stop receiving emails from it, send an email to golang-nuts+unsubscr...@googlegroups.com. To view this discussion visit https://groups.google.com/d/msgid/golang-nuts/CAOW6Qti%2BtKO3%2B5jAwaFvKZS5zkDFmUDVBhpkX%3DxQWPkuX02ibg%40mail.gmail.com.
