7d0681f6c0
This minor release includes 2 security fixes following the security policy: net/http: handle server errors after sending GOAWAY A closing HTTP/2 server connection could hang forever waiting for a clean shutdown that was preempted by a subsequent fatal error. This failure mode could be exploited to cause a denial of service. Thanks to Bahruz Jabiyev, Tommaso Innocenti, Anthony Gavazzi, Steven Sprecher, and Kaan Onarlioglu for reporting this. This is CVE-2022-27664 and Go issue https://go.dev/issue/54658. net/url: JoinPath does not strip relative path components in all circumstances JoinPath and URL.JoinPath would not remove ../ path components appended to a relative path. For example, JoinPath("https://go.dev", "../go") returned the URL https://go.dev/../go, despite the JoinPath documentation stating that ../ path elements are cleaned from the result. Thanks to q0jt for reporting this issue. This is CVE-2022-32190 and Go issue https://go.dev/issue/54385. |
||
|---|---|---|
| .. | ||
| bootstrap.mk | ||
| DESCR | ||
| go-dep.mk | ||
| go-module.mk | ||
| go-package.mk | ||
| go-vars.mk | ||
| Makefile | ||
| version.mk | ||