[security] Go 1.16.1 and Go 1.15.9 are released
Katie Hockman
Hi gophers,
We have just released Go 1.16.1 and Go 1.15.9 to address recently reported security issues. We recommend that all users update to one of these releases (if you’re not sure which, choose Go 1.16.1).
- encoding/xml: infinite loop when using xml.NewTokenDecoder with a custom TokenReader
The Decode, DecodeElement, and Skip methods of an xml.Decoder provided by xml.NewTokenDecoder may enter an infinite loop when operating on a custom xml.TokenReader which returns an EOF in the middle of an open XML element.
Thanks to Sam Whited for reporting this issue.
This issue is CVE-2021-27918 and Go issue golang.org/issue/44913.
- archive/zip: panic when calling Reader.Open
The Reader.Open API, new in Go 1.16, will panic when used on a ZIP archive containing files that start with “../”.
This issue is CVE-2021-27919 and Go issue golang.org/issue/44916.
The upcoming minor releases of Go 1.16.2 and 1.15.10 will also include the fixes above.
Downloads are available at https://golang.org/dl for all supported platforms.
Note: we are proposing a new security policy for vulnerabilities in Go releases. Join the discussion at golang.org/issue/44918.
Thank you,
Katie on behalf of the Go team