[security] Go 1.8.4 and Go 1.9.1 are released

3,826 views
Skip to first unread message

Chris Broadfoot

unread,
Oct 4, 2017, 4:35:07 PM10/4/17
to golang-nuts
Hi gophers,

Two security-related issues were recently reported.
To address this issue, we have just released Go 1.8.4 and Go 1.9.1.

We recommend that all users update to one of these releases (if you're not sure which, choose Go 1.9.1).

The issues addressed by these releases are:

By nesting a git checkout inside another version control repository, it was possible for an attacker to trick the “go get” command into executing arbitrary code. The go command now refuses to use version control checkouts found inside other version control systems, with an exception for git submodules (git inside git).
The issue is tracked as https://golang.org/issue/22125 (Go 1.8.4) and https://golang.org/issue/22131 (Go 1.9.1). Fixes are linked from the issues.
Thanks to Simon Rawet for the report.

In the smtp package, PlainAuth is documented as sending credentials only over authenticated, encrypted TLS connections, but it was changed in Go 1.1 to also send credentials on non-TLS connections when the remote server advertises that PLAIN authentication is supported. The change was meant to allow use of PLAIN authentication on localhost, but it has the effect of allowing a man-in-the-middle attacker to harvest credentials. PlainAuth now requires either TLS or a localhost connection before sending credentials, regardless of what the remote server claims.
This issue is tracked as https://golang.org/issue/22134 (Go 1.8.4) and https://golang.org/issue/22133 (Go 1.9.1). Fixes are linked from the issues.
Thanks to Stevie Johnstone for the report.

Downloads are available at https://golang.org/dl for all supported platforms.

Cheers,
Chris (on behalf of the Go team)

Nathan Kerr

unread,
Oct 4, 2017, 4:44:44 PM10/4/17
to golang-nuts
I updated my release related resources:
Hope the community finds them useful.

Nathan

Bakul Shah

unread,
Oct 4, 2017, 9:41:00 PM10/4/17
to golang-nuts
Would it make sense for Go to update itself? Something
like "go update <release>" that fetches a platform
specific release, does some basic sanity tests and
if all goes well, overwrites $GOROOT.

Reto Brunner

unread,
Oct 5, 2017, 12:46:36 AM10/5/17
to Bakul Shah, golang-nuts

God no,
My system is managed by a *package manager* and I want it to stay that way


--
You received this message because you are subscribed to the Google Groups "golang-nuts" group.
To unsubscribe from this group and stop receiving emails from it, send an email to golang-nuts...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

mcro...@pivotal.io

unread,
Oct 5, 2017, 12:02:51 PM10/5/17
to golang-nuts
Were CVEs reserved for these issues?

Molly Crowther
Cloud Foundry Foundation & Pivotal Security Teams

Jakub Cajka

unread,
Oct 6, 2017, 8:37:59 AM10/6/17
to Chris Broadfoot, golang-nuts
Just for the record, I have requested CVEs to be assigned to these issues yesterday. They got CVE-2017-15041 and CVE-2017-15042, respectively. It is already noted in the issues by rsc.

JC
> --
> You received this message because you are subscribed to the Google Groups
> "golang-dev" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to golang-dev+...@googlegroups.com.

mcro...@pivotal.io

unread,
Oct 6, 2017, 10:44:41 AM10/6/17
to golang-nuts
Apologies, I missed that somehow. Thanks for the followup.

Molly Crowther
Cloud Foundry + Pivotal Security Team

Rich

unread,
Oct 6, 2017, 2:21:11 PM10/6/17
to golang-nuts
On linux / mac I just become root, cd to /usr/local then run this one liner:

Mac:

Linux64:

That will overwrite the existing /usr/local/go directory.  To check:

~] $ go version
go version go1.9.1 darwin/amd64

Bakul Shah

unread,
Oct 6, 2017, 3:26:24 PM10/6/17
to Rich, golang-nuts
On Fri, 06 Oct 2017 11:21:10 -0700 Rich <rma...@gmail.com> wrote:
Rich writes:
> curl https://storage.googleapis.com/golang/go1.9.1.darwin-amd64.tar.gz |
tar zxvf -
> That will overwrite the existing /usr/local/go directory. To check:

You are not alone in making this mistake. I made the *same*
mistake when installing a new release on a 32bit freebsd
machine and broke go (and wasted Ian's time by filing a bug
report). You have to /replace/ the installation, not
/overwrite/ it. I forgot since I rarely build go program on
this machine.

There is a reason why on MacOS, Windows, Linux, *BSD etc. use
installers instead of just "tar x" or "unzip" as it allows the
installer to run a script to do the right thing (such as
checking there is enough space, doing some simple test to
check everything went ok, restore the old release if it didn't
etc). In spirit "go update" to "go get" what "pkg update" is
to "pkg install" or "brew update" is to "brew install".
Reply all
Reply to author
Forward
0 new messages