cda80a138f
go1.17.4 (released 2021-12-02) includes fixes to the compiler, linker, runtime, and the go/types, net/http, and time packages. See the Go 1.17.4 milestone on our issue tracker for details. go1.17.5 (released 2021-12-09) includes security fixes to the syscall and net/http packages. See the Go 1.17.5 milestone on our issue tracker for details. When a Go program running on a Unix system is out of file descriptors and calls syscall.ForkExec (including indirectly by using the os/exec package), syscall.ForkExec can close file descriptor 0 as it fails. If this happens (or can be provoked) repeatedly, it can result in misdirected I/O such as writing network traffic intended for one connection to a different connection, or content intended for one file to a different one. This is CVE-2021-44717 and is fixed in Go 1.17.5 and Go 1.16.12. An attacker can cause unbounded memory growth in a Go server accepting HTTP/2 requests. This is CVE-2021-44716 and is fixed in Go 1.17.5 and Go 1.16.12. |
||
|---|---|---|
| .. | ||
| bootstrap.mk | ||
| DESCR | ||
| go-dep.mk | ||
| go-module.mk | ||
| go-package.mk | ||
| go-vars.mk | ||
| Makefile | ||
| version.mk | ||