[security] Go 1.18.3 and Go 1.17.11 are released

520 views
Skip to first unread message

Dmitri Shuralyov

unread,
Jun 1, 2022, 4:59:54 PM6/1/22
to golan...@googlegroups.com
Hello gophers,

We have just released Go versions 1.18.3 and 1.17.11, minor point releases.

These minor releases include 4 security fixes following the security policy:
  • crypto/rand: rand.Read hangs with extremely large buffers

    On Windows, rand.Read will hang indefinitely if passed a buffer larger than 1 << 32 - 1 bytes.

    Thanks to Davis Goodin and Quim Muntal, working at Microsoft on the Go toolset, for reporting this issue.

    This is CVE-2022-30634 and Go issue https://go.dev/issue/52561.
  • crypto/tls: session tickets lack random ticket_age_add

    Session tickets generated by crypto/tls did not contain a randomly generated ticket_age_add. This allows an attacker that can observe TLS handshakes to correlate successive connections by comparing ticket ages during session resumption.

    Thanks to GitHub user @nervuri for reporting this.

    This is CVE-2022-30629 and Go issue https://go.dev/issue/52814.
  • os/exec: empty Cmd.Path can result in running unintended binary on Windows

    If, on Windows, Cmd.Run, cmd.Start, cmd.Output, or cmd.CombinedOutput are executed when Cmd.Path is unset and, in the working directory, there are binaries named either "..com" or "..exe", they will be executed.

    Thanks to Chris Darroch (chris...@github.com), brian m. carlson (bk2...@github.com), and Mikhail Shcherbakov (https://twitter.com/yu5k3) for reporting this.

    This is CVE-2022-30580 and Go issue https://go.dev/issue/52574.
  • path/filepath: Clean(`.\c:`) returns `c:` on Windows

    On Windows, the filepath.Clean function could convert an invalid path to a valid, absolute path. For example, Clean(`.\c:`) returned `c:`.

    Thanks to Unrud for reporting this issue.

    This is CVE-2022-29804 and Go issue https://go.dev/issue/52476.
View the release notes for more information:
https://go.dev/doc/devel/release#go1.18.minor

You can download binary and source distributions from the Go web site:
https://go.dev/dl/

To compile from source using a Git clone, update to the release with
"git checkout go1.18.3" and build as usual.

Thanks to everyone who contributed to the releases.

Cheers,
Dmitri and Alex for the Go team

Jakob Borg

unread,
Jun 1, 2022, 5:12:53 PM6/1/22
to Dmitri Shuralyov, golan...@googlegroups.com
On 1 Jun 2022, at 22:58, Dmitri Shuralyov <dmit...@golang.org> wrote:

Hello gophers,

We have just released Go versions 1.18.3 and 1.17.11, minor point releases.

These minor releases include 4 security fixes following the security policy:

Hi Dmitry,

Thanks for this and the notification. However, there does not appear to exist a golang:1.18.3 Docker image, or a go-gettable golang.org/dl/go1.18.3 yet. Are those part of the release, do you know when they will be available?

Best regards,
Jakob

Dmitri Shuralyov

unread,
Jun 1, 2022, 5:26:05 PM6/1/22
to golang-nuts
Hi Jakob,

The go-gettable golang.org/dl/go1.18.3 command is published and might take a moment to propagate.
You can either try again in a short while, or do something like 'go install golang.org/dl/go1.18.3@HEAD'.
(The '@HEAD' suffix is one of the ways to explicitly request that particular git revision.)

For questions about the Docker images published at https://hub.docker.com/_/golang, you'll want to
contact their maintainers linked at the top of the quick reference section. It's reasonable to expect
they'll show up soon now that this Go release is published.

Thanks,
Dmitri

Reply all
Reply to author
Forward
0 new messages