Re: [go-nuts] Connectivity breakage from removal of TLS RSA KEX from default encryption suite

7, 2024 at 10:14:06 AM UTC-7 Roland Shoemaker wrote: > I agree that in this case the release note we provided was likely not > informative enough. We try to walk the line of providing useful yet concise > notes about changes, but in this particular case we did not provide enough > det

Re: [go-nuts] Connectivity breakage from removal of TLS RSA KEX from default encryption suite

I agree that in this case the release note we provided was likely not informative enough. We try to walk the line of providing useful yet concise notes about changes, but in this particular case we did not provide enough detail specifically about how this change may cause breakage. In general t

[go-nuts] [security] Vulnerability in golang.org/x/crypto/ssh

Hello gophers, Version v0.17.0 of golang.org/x/crypto fixes a protocol weakness in the golang.org/x/crypto/ssh package that allowed a MITM attacker to compromise the integrity of the secure channel before it was established, allowing them to prevent transmission of a number of messages immediately

[go-nuts] golang.org/x/crypto/ssh fix pre-announcement

Hello gophers, We plan to issue a security fix for the golang.org/x/crypto/ssh package in the golang.org/x/crypto module on Monday, December 18th. This will cover CVE-2023-48795. Following our security policy, this is the pre-announcement of that fix. Cheers, Roland on behalf of the Go team --

[go-nuts] Re: [golang-dev] [security] Go 1.20.1 and Go 1.19.6 are released

Hey all, When writing the release note for the net/http and mime/multipart security fix (CVE-2022-41725), we mixed up two earlier reports about a similar issue and credited the incorrect reporter. The credit should go to Arpad Ryszka and Jakob Ackermann. We apologize for this mixup, and want to s

[go-nuts] [security] Vulnerability in golang.org/x/image/tiff

Hello gophers, Version v0.5.0 of golang.org/x/image fixes a vulnerability in the golang.org/x/image/tiff package which could cause a denial of service. An attacker can craft a malformed TIFF image which will consume a significant amount of memory when passed to DecodeConfig. This issue was disco

[go-nuts] [security] golang.org/x/image/tiff fix pre-announcement

Hello gophers, We plan to issue a security fix for the golang.org/x/image/tiff package in the golang.org/x/image module on Tuesday, February 14th. Following our security policy, this is the pre-announcement of that fix. Cheers, Roland on behalf of the Go team -- You received this message becau

[go-nuts] [security] Vulnerability in golang.org/x/text/language

Hello gophers, Version v0.3.8 of golang.org/x/text fixes a vulnerability in the golang.org/x/text/language package which could cause a denial of service. An attacker can craft an Accept-Language header which ParseAcceptLanguage will take significant time to parse. This issue was discovered by OS

[go-nuts] [security] golang.org/x/text/language fix pre-announcement

Hello gophers, We plan to issue a security fix for the golang.org/x/text/language package in the golang.org/x/text module on Tuesday, October 11th. Following our security policy, this is the pre-announcement of that fix. Cheers, Roland on behalf of the Go team -- You received this message beca

[go-nuts] Most certificates managed by autocert require manual renewal

Hello gophers, The Let’s Encrypt certificate authority is revoking all certificates issued with the TLS-ALPN-01 verification method before 00:48 UTC on 26 January 2022 due to a compliance issue. (Read more in the Let’s Encrypt announcement

[go-nuts] [security] Vulnerability in golang.org/x/crypto/ssh

Hello gophers, Version v0.0.0-20211202192323-5770296d904e of golang.org/x/crypto fixes a vulnerability in the golang.org/x/crypto/ssh package which allowed unauthenticated clients to cause a panic in SSH servers. This issue was discovered and reported by Rod Hynes, Psiphon Inc., and is tracked as

[go-nuts] [security] golang.org/x/crypto/ssh fix pre-announcement

Hello gophers, We plan to issue a security fix for the golang.org/x/crypto/ssh package in the golang.org/x/crypto module on Thursday, December 2nd. Cheers, Roland on behalf of the Go team -- You received this message because you are subscribed to the Google Groups "golang-nuts" group. To uns

[go-nuts] [security] Go 1.17.2 and Go 1.16.9 pre-announcement

Hello gophers, We plan to issue Go 1.17.2 and Go 1.16.9 on Thursday, October 7. These are minor releases that include security fixes to the standard library. Following our new security policy , this is the pre-announcement of those releases. Thanks, Roland on beha

[go-nuts] [security] Go 1.15.7 and Go 1.14.14 are released

Hello gophers, We have just released Go 1.15.7 and Go 1.14.14 to address recently reported security issues. We recommend that all users update to one of these releases (if you’re not sure which, choose Go 1.15.7). - cmd/go: packages using cgo can cause arbitrary code execution at build

[go-nuts] [security] Go 1.15.7 and Go 1.14.14 pre-announcement

Hello gophers, We plan to issue Go 1.15.7 and Go 1.14.14 on Tuesday, January 19th. These are minor releases that include security fixes. Following our policy at https://golang.org/security, this is the pre-announcement of those releases. Cheers, Roland on behalf of the Go team -- You re

[go-nuts] [security] Vulnerability in golang.org/x/crypto/ssh

Hello gophers, Version v0.0.0-20201216223049-8b5274cf687f of golang.org/x/crypto fixes a vulnerability in the golang.org/x/crypto/ssh package which allowed clients to cause a panic in SSH servers. An attacker can craft an authentication request message for the “gssapi-with-mic” method which will

[go-nuts] [security] golang.org/x/crypto/ssh fix pre-announcement

Hello gophers, We plan to issue a security fix for the golang.org/x/crypto/ssh package in the golang.org/x/crypto module on Wednesday, December 16th. Cheers, Roland on behalf of the Go team -- You received this message because you are subscribed to the Google Groups "golang-nuts" group. To uns