Upstream changes:
go1.7.5 (released 2017/01/26) includes fixes to the compiler, runtime, and the crypto/x509 and time packages. See the Go 1.7.5 milestone on our issue tracker for details.
Two security-related issues were recently reported, and to address these issues
we have just released Go 1.6.4 and Go 1.7.4.
We recommend that all users update to one of these releases (if you're not sure
which, choose Go 1.7.4).
The issues addressed by these releases are:
On Darwin, user's trust preferences for root certificates were not honored. If
the user had a root certificate loaded in their Keychain that was explicitly
not trusted, a Go program would still verify a connection using that root
certificate. This is addressed by https://golang.org/cl/33721, tracked in
https://golang.org/issue/18141.
Thanks to Xy Ziemba for identifying and reporting this issue.
The net/http package's Request.ParseMultipartForm method starts writing to
temporary files once the request body size surpasses the given "maxMemory"
limit. It was possible for an attacker to generate a multipart request crafted
such that the server ran out of file descriptors. This is addressed by
https://golang.org/cl/30410, tracked in https://golang.org/issue/17965.
Thanks to Simon Rawet for the report.
go1.7.2 should not be used. It was tagged but not fully released. The release
was deferred due to a last minute bug report. Use go1.7.3 instead, and refer to
the summary of changes below.
go1.7.3 (released 2016/10/19) includes fixes to the compiler, runtime, and the
crypto/cipher, crypto/tls, net/http, and strings packages. See the Go 1.7.3
milestone on our issue tracker for details.
go1.7.1 (released 2016/09/07) includes fixes to the compiler, runtime,
documentation, and the compress/flate, hash/crc32, io, net, net/http,
path/filepath, reflect, and syscall packages. See the Go 1.7.1 milestone on our
issue tracker for details.
The latest Go release, version 1.7, arrives six months after 1.6. Most of its
changes are in the implementation of the toolchain, runtime, and libraries.
There is one minor change to the language specification. As always, the release
maintains the Go 1 promise of compatibility. We expect almost all Go programs
to continue to compile and run as before.
There is one tiny language change in this release. The section on terminating
statements clarifies that to determine whether a statement list ends in a
terminating statement, the “final non-empty statement” is considered the end,
matching the existing behavior of the gc and gccgo compiler toolchains. In
earlier releases the definition referred only to the “final statement,” leaving
the effect of trailing empty statements at the least unclear. The go/types
package has been updated to match the gc and gccgo compiler toolchains in this
respect. This change has no effect on the correctness of existing programs.
Go 1.7 adds support for macOS 10.12 Sierra. This support was backported to Go
1.6.3. Binaries built with versions of Go before 1.6.3 will not work correctly
on Sierra.
A security-related issue was recently reported in Go's net/http/cgi package and
net/http package when used in a CGI environment. Go 1.6.3 and Go 1.7rc2 contain
a fix for this issue.
Go versions 1.0-1.6.2 and 1.7rc1 are vulnerable to an input validation flaw in
the CGI components resulting in the HTTP_PROXY environment variable being set
by the incoming Proxy header. This environment variable was also used to set
the outgoing proxy, enabling an attacker to insert a proxy into outgoing
requests of a CGI program.
This is CVE-2016-5386 and was addressed by this change:
https://golang.org/cl/25010, tracked in this issue:
https://golang.org/issue/16405
The Go team would like to thank Dominic Scheirlinck for coordinating disclosure
of this issue across multiple languages and CGI environments. Read more about
"httpoxy" here: https://httpoxy.org/
Go 1.6.3 also adds support for macOS Sierra. See https://golang.org/issue/16354
for details.
Two security-related issues were recently reported, and to address these issues
we have just released Go 1.6.1 and Go 1.5.4.
We recommend that all users update to one of these releases (if you're not sure
which, choose Go 1.6.1).
The issues addressed by these releases are:
On Windows, Go loads system DLLs by name with LoadLibrary, making it vulnerable
to DLL preloading attacks. For instance, if a user runs a Go executable from a
Downloads folder, malicious DLL files also downloaded to that folder could be
loaded into that executable.
This is CVE-2016-3958 and was addressed by this change: https://golang.org/cl/21428
Thanks to Taru Karttunen for identifying this issue.
Go's crypto libraries passed certain parameters unchecked to the underlying big
integer library, possibly leading to extremely long-running computations, which
in turn makes Go programs vulnerable to remote denial of service attacks.
Programs using HTTPS client certificates or the Go SSH server libraries are
both exposed to this vulnerability.
This is CVE-2016-3959 and was addressed by this change: https://golang.org/cl/21533
Thanks to David Wong for identifying this issue.
The latest Go release, version 1.6, arrives six months after 1.5. Most of its
changes are in the implementation of the language, runtime, and libraries.
There are no changes to the language specification. As always, the release
maintains the Go 1 promise of compatibility. We expect almost all Go programs
to continue to compile and run as before.
The release adds new ports to Linux on 64-bit MIPS and Android on 32-bit x86;
defined and enforced rules for sharing Go pointers with C; transparent,
automatic support for HTTP/2; and a new mechanism for template reuse.
Full changelog at https://golang.org/doc/go1.6.
Prevented the error message "*** Error 1 (ignored) ***" during installation
by using || instead of &&.
Shell commands are hidden during normal operation.
Go packages can be tested using "bmake test".
ok @bsiegert
Go packages now define a set of files to buildlink in their buildlink3.mk.
go-packages.mk no longer looks in ${PREFIX}/gopkg during the build. This
should also fix the spurious issues with rebuilds of .a files during bulk
builds of Go packages.
Int.Exp Montgomery code", to fix CVE-2015-8618.
From the oss-security posting that asked for a CVE:
"The Go open source project has received notification of an error in the
math/big library (https://golang.org/pkg/math/big/). The problem that was
identified is similar to CVE-2015-3193
<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3193>. The
vulnerability was introduced in the 1.5 release, and remains present in Go
1.5.1 and 1.5.2.
"A fix for the issue has been applied to the master branch of the Go repo
under CL 17672 <https://go-review.googlesource.com/#/c/17672/>. We will
also be releasing Go 1.5.3 to fix this vulnerability."
ok wiz@
go1.5.2 (released 2015/12/02) includes bug fixes to the compiler,
linker, and the mime/multipart, net, and runtime packages. See the Go
1.5.2 milestone on our issue tracker for details.
https://github.com/golang/go/issues?q=milestone%3AGo1.5.2
The issues were reported in Go's net/http package. They affect programs using
that package to proxy HTTP requests. We recommend that all users upgrade to Go
1.5, which fixes these issues. For users unable to upgrade to Go 1.5, we have
released version 1.4.3, which is based on Go 1.4.2 plus fixes for these issues.
Affected Go programs—those that use the net/http package as a proxy server—must
be recompiled with Go 1.5 or Go 1.4.3 to receive the fixes.
The CVE issue descriptions and fixes are linked below.
CVE-2015-5739
"Content Length" treated as valid header:
https://go-review.googlesource.com/#/c/11772/
CVE-2015-5740
Double content-length headers does not return 400 error:
https://go-review.googlesource.com/#/c/11810/
CVE-2015-5741
Additional hardening, not sending Content-Length w/Transfer-Encoding,
Closing connections:
https://go-review.googlesource.com/#/c/11810/https://go-review.googlesource.com/#/c/12865/https://go-review.googlesource.com/#/c/13148/
The Go team would like to thank Jed Denlea and Régis Leroy for their
contributions to this release. They have been awarded 1337 USD under the Google
Security Bounty program.
go1.5.1 (released 2015/09/08) includes bug fixes to the compiler, assembler,
and the fmt, net/textproto, net/http, and runtime packages. See the Go 1.5.1
milestone on our issue tracker for details:
https://github.com/golang/go/issues?q=milestone%3AGo1.5.1
This release now needs the previous one (lang/go14) to build.
The biggest developments in the implementation are:
* The compiler and runtime are now written entirely in Go (with a little
assembler). C is no longer involved in the implementation, and so the
C compiler that was once necessary for building the distribution is
gone.
* The garbage collector is now concurrent and provides dramatically
lower pause times by running, when possible, in parallel with other
goroutines.
* By default, Go programs run with GOMAXPROCS set to the number of cores
available; in prior releases it defaulted to 1.
* Support for internal packages is now provided for all repositories,
not just the Go core.
* The go command now provides experimental support for "vendoring"
external dependencies.
* A new go tool trace command supports fine-grained tracing of program
execution.
* A new go doc command (distinct from godoc) is customized for
command-line use.
Full release notes are at https://golang.org/doc/go1.5.
Today we announce Go 1.4, the fifth major stable release of Go,
arriving six months after our previous major release Go 1.3. It
contains a small language change, support for more operating systems
and processor architectures, and improvements to the tool chain
and libraries. As always, Go 1.4 keeps the promise of compatibility,
and almost everything will continue to compile and run without
change when moved to 1.4. For the full details, see the Go 1.4
release notes.
The most notable new feature in this release is official support
for Android. Using the support in the core and the libraries in
the golang.org/x/mobile repository, it is now possible to write
simple Android apps using only Go code. At this stage, the support
libraries are still nascent and under heavy development. Early
adopters should expect a bumpy ride, but we welcome the community
to get involved.
The language change is a tweak to the syntax of for-range loops.
You may now write "for range s {" to loop over each item from s,
without having to assign the value, loop index, or map key. See
the release notes for details.
The go command has a new subcommand, go generate, to automate the
running of tools to generate source code before compilation. For
example, it can be used to automate the generation of String methods
for typed constants using the new stringer tool. For more information,
see the design document.
Most programs will run about the same speed or slightly faster in
1.4 than in 1.3; some will be slightly slower. There are many
changes, making it hard to be precise about what to expect. See
the release notes for more discussion.
And, of course, there are many more improvements and bug fixes.
In case you missed it, a few weeks ago the sub-repositories were
moved to new locations. For example, the go.tools packages are now
imported from "golang.org/x/tools". See the announcement post for
details.
This release also coincides with the project's move from Mercurial
to Git (for source control), Rietveld to Gerrit (for code review),
and Google Code to Github (for issue tracking and wiki). The move
affects the core Go repository and its sub-repositories. You can
find the canonical Git repositories at go.googlesource.com, and
the issue tracker and wiki at the golang/go GitHub repo.
