go1.5.2 (released 2015/12/02) includes bug fixes to the compiler,
linker, and the mime/multipart, net, and runtime packages. See the Go
1.5.2 milestone on our issue tracker for details.
https://github.com/golang/go/issues?q=milestone%3AGo1.5.2
The issues were reported in Go's net/http package. They affect programs using
that package to proxy HTTP requests. We recommend that all users upgrade to Go
1.5, which fixes these issues. For users unable to upgrade to Go 1.5, we have
released version 1.4.3, which is based on Go 1.4.2 plus fixes for these issues.
Affected Go programs—those that use the net/http package as a proxy server—must
be recompiled with Go 1.5 or Go 1.4.3 to receive the fixes.
The CVE issue descriptions and fixes are linked below.
CVE-2015-5739
"Content Length" treated as valid header:
https://go-review.googlesource.com/#/c/11772/
CVE-2015-5740
Double content-length headers does not return 400 error:
https://go-review.googlesource.com/#/c/11810/
CVE-2015-5741
Additional hardening, not sending Content-Length w/Transfer-Encoding,
Closing connections:
https://go-review.googlesource.com/#/c/11810/https://go-review.googlesource.com/#/c/12865/https://go-review.googlesource.com/#/c/13148/
The Go team would like to thank Jed Denlea and Régis Leroy for their
contributions to this release. They have been awarded 1337 USD under the Google
Security Bounty program.
go1.5.1 (released 2015/09/08) includes bug fixes to the compiler, assembler,
and the fmt, net/textproto, net/http, and runtime packages. See the Go 1.5.1
milestone on our issue tracker for details:
https://github.com/golang/go/issues?q=milestone%3AGo1.5.1
This release now needs the previous one (lang/go14) to build.
The biggest developments in the implementation are:
* The compiler and runtime are now written entirely in Go (with a little
assembler). C is no longer involved in the implementation, and so the
C compiler that was once necessary for building the distribution is
gone.
* The garbage collector is now concurrent and provides dramatically
lower pause times by running, when possible, in parallel with other
goroutines.
* By default, Go programs run with GOMAXPROCS set to the number of cores
available; in prior releases it defaulted to 1.
* Support for internal packages is now provided for all repositories,
not just the Go core.
* The go command now provides experimental support for "vendoring"
external dependencies.
* A new go tool trace command supports fine-grained tracing of program
execution.
* A new go doc command (distinct from godoc) is customized for
command-line use.
Full release notes are at https://golang.org/doc/go1.5.
Today we announce Go 1.4, the fifth major stable release of Go,
arriving six months after our previous major release Go 1.3. It
contains a small language change, support for more operating systems
and processor architectures, and improvements to the tool chain
and libraries. As always, Go 1.4 keeps the promise of compatibility,
and almost everything will continue to compile and run without
change when moved to 1.4. For the full details, see the Go 1.4
release notes.
The most notable new feature in this release is official support
for Android. Using the support in the core and the libraries in
the golang.org/x/mobile repository, it is now possible to write
simple Android apps using only Go code. At this stage, the support
libraries are still nascent and under heavy development. Early
adopters should expect a bumpy ride, but we welcome the community
to get involved.
The language change is a tweak to the syntax of for-range loops.
You may now write "for range s {" to loop over each item from s,
without having to assign the value, loop index, or map key. See
the release notes for details.
The go command has a new subcommand, go generate, to automate the
running of tools to generate source code before compilation. For
example, it can be used to automate the generation of String methods
for typed constants using the new stringer tool. For more information,
see the design document.
Most programs will run about the same speed or slightly faster in
1.4 than in 1.3; some will be slightly slower. There are many
changes, making it hard to be precise about what to expect. See
the release notes for more discussion.
And, of course, there are many more improvements and bug fixes.
In case you missed it, a few weeks ago the sub-repositories were
moved to new locations. For example, the go.tools packages are now
imported from "golang.org/x/tools". See the announcement post for
details.
This release also coincides with the project's move from Mercurial
to Git (for source control), Rietveld to Gerrit (for code review),
and Google Code to Github (for issue tracking and wiki). The move
affects the core Go repository and its sub-repositories. You can
find the canonical Git repositories at go.googlesource.com, and
the issue tracker and wiki at the golang/go GitHub repo.
Fixes "go get code.google.com/p/..." for me, once security/mozilla-rootcerts
installed and configured (with the default settings).
Bumps PKGREVISION, since the package is modified.
ok bsiegert@
We've just released Go version 1.3.2, a minor point release.
This release includes bug fixes to cgo and the crypto/tls package.
https://golang.org/doc/devel/release.html#go1.3.minor
The crpyto/tls fix addresses a security bug that affects programs
that use crypto/tls to implement a TLS server from Go 1.1 onwards.
If the server enables TLS client authentication using certificates
(this is rare) and explicitly sets SessionTicketsDisabled to true
in the tls.Config, then a malicious client can falsely assert
ownership of any client certificate it wishes. This issue was
discovered internally and there is no evidence of exploitation.
Do it for all packages that
* mention perl, or
* have a directory name starting with p5-*, or
* depend on a package starting with p5-
like last time, for 5.18, where this didn't lead to complaints.
Let me know if you have any this time.
It contains the following fixes:
* runtime: fix crash in runtime.GoroutineProfile
* runtime: if traceback sees a breakpoint, don't change the PC
* runtime: fix data race in GC
* net: ignore some errors in windows Accept
* database/sql: Use all connections in pool
go1.1.2 (released 2013/08/13) includes fixes to the gc compiler and cgo,
and the bufio, runtime, syscall, and time packages. See the change
history for details. If you use package syscall's Getrlimit and
Setrlimit functions under Linux on the ARM or 386 architectures, please
note change 55ac276af5a7 that fixes issue 5949.
This is a leaf package, so it should be ok during the freeze.
