blob: 87286e832954b15424adc9f55f3d7e36cfb73897 [file] [log] [blame]
Hello gophers,
We have just released Go versions 1.18.1 and 1.17.9, minor point releases.
These minor releases include 3 security fixes following the security policy <https://go.dev/security>:
- encoding/pem: fix stack overflow in Decode
A large (more than 5 MB) PEM input can cause a stack overflow in Decode, leading the program to crash.
Thanks to Juho Nurminen of Mattermost who reported the error.
This is CVE-2022-24675 and https://go.dev/issue/51853.
- crypto/elliptic: tolerate all oversized scalars in generic P-256
A crafted scalar input longer than 32 bytes can cause P256().ScalarMult or P256().ScalarBaseMult to panic. Indirect uses through crypto/ecdsa and crypto/tls are unaffected. amd64, arm64, ppc64le, and s390x are unaffected.
This was discovered thanks to a Project Wycheproof test vector.
This is CVE-2022-28327 and https://go.dev/issue/52075.
- crypto/x509: non-compliant certificates can cause a panic in Verify on macOS in Go 1.18
Verifying certificate chains containing certificates which are not compliant with RFC 5280 causes Certificate.Verify to panic on macOS.
These chains can be delivered through TLS and can cause a crypto/tls or net/http client to crash.
Thanks to Tailscale for doing weird things and finding this.
This is CVE-2022-27536 and https://go.dev/issue/51759.
View the release notes for more information:
https://go.dev/doc/devel/release#go1.18.1
You can download binary and source distributions from the Go website:
https://go.dev/dl/
To compile from source using a Git clone, update to the release with
git checkout go1.18.1 and build as usual.
Thanks to everyone who contributed to the releases.
Cheers,
The Go team