a7be4ea832
This minor release includes three security fixes following the security policy: - encoding/pem: fix stack overflow in Decode A large (more than 5 MB) PEM input can cause a stack overflow in Decode, leading the program to crash. Thanks to Juho Nurminen of Mattermost who reported the error. This is CVE-2022-24675 and https://go.dev/issue/51853. - crypto/elliptic: tolerate all oversized scalars in generic P-256 A crafted scalar input longer than 32 bytes can cause P256().ScalarMult or P256().ScalarBaseMult to panic. Indirect uses through crypto/ecdsa and crypto/tls are unaffected. amd64, arm64, ppc64le, and s390x are unaffected. This was discovered thanks to a Project Wycheproof test vector. This is CVE-2022-28327 and https://go.dev/issue/52075. - crypto/x509: non-compliant certificates can cause a panic in Verify on macOS in Go 1.18 Verifying certificate chains containing certificates which are not compliant with RFC 5280 causes Certificate.Verify to panic on macOS. These chains can be delivered through TLS and can cause a crypto/tls or net/http client to crash. Thanks to Tailscale for doing weird things and finding this. This is CVE-2022-27536 and https://go.dev/issue/51759. |
||
|---|---|---|
| .. | ||
| bootstrap.mk | ||
| DESCR | ||
| go-dep.mk | ||
| go-module.mk | ||
| go-package.mk | ||
| go-vars.mk | ||
| Makefile | ||
| version.mk | ||