Go 1.7.4 and Go 1.6.4 are released


Two security-related issues were recently reported, and to address these issues we have just released Go 1.6.4 and Go 1.7.4.
We recommend that all users update to one of these releases (if you’re not sure which, choose Go 1.7.4).

The issues addressed by these releases are:

On Darwin, user’s trust preferences for root certificates were not honored. If the user had a root certificate loaded in their Keychain that was explicitly not trusted, a Go program would still verify a connection using that root certificate.
This is addressed by https://golang.org/cl/33721, tracked in https://golang.org/issue/18141.
Thanks to Xy Ziemba for identifying and reporting this issue.

The net/http package’s Request.ParseMultipartForm method starts writing to temporary files once the request body size surpasses the given “maxMemory” limit. It was possible for an attacker to generate a multipart request crafted such that the server ran out of file descriptors.
This is addressed by https://golang.org/cl/30410, tracked in https://golang.org/issue/17965.
Thanks to Simon Rawet for the report.

Downloads are available at https://golang.org/dl for all supported platforms.

共 2 个回复


1.8beta1 也已经发布,如果官网不能访问的话,可以在本站下载。

# 0



# 1