Go 1.4.3 is released (security fix)

1,220 views

Skip to first unread message

Andrew Gerrand

unread,

Sep 23, 2015, 10:15:34 PM9/23/15

to golang-nuts

If you are running Go 1.5.x you can disregard this message.

We have just issued Go 1.4.3 to address four security-related issues.

The issues were reported in Go's net/http package. They affect programs using that package to proxy HTTP requests. We recommend that all users upgrade to Go 1.5, which fixes these issues. For users unable to upgrade to Go 1.5, we have released version 1.4.3, which is based on Go 1.4.2 plus fixes for these issues. Affected Go programs—those that use the net/http package as a proxy server—must be recompiled with Go 1.5 or Go 1.4.3 to receive the fixes.

Downloads are available at https://golang.org/dl for all supported platforms.

The CVE issue descriptions and fixes are linked below.

CVE-2015-5739

"Content Length" treated as valid header:

https://go-review.googlesource.com/#/c/11772/

CVE-2015-5740

Double content-length headers does not return 400 error:

https://go-review.googlesource.com/#/c/11810/

CVE-2015-5741

Additional hardening, not sending Content-Length w/Transfer-Encoding,

Closing connections:

https://go-review.googlesource.com/#/c/11810/

https://go-review.googlesource.com/#/c/12865/

https://go-review.googlesource.com/#/c/13148/

The Go team would like to thank Jed Denlea and Régis Leroy for their contributions to this release. They have been awarded 1337 USD under the Google Security Bounty program.