golang.org/x/build@v0.0.0-20240506185731-218518f32b70/internal/task/testdata/announce-minor-with-security.html

golang.org/x/build@v0.0.0-20240506185731-218518f32b70/internal/task/testdata/announce-minor-with-security.html (about)

     1  <p>Hello gophers,</p>
     2  <p>We have just released Go versions 1.18.1 and 1.17.9, minor point releases.</p>
     3  <p>These minor releases include 3 security fixes following the <a href="https://go.dev/security">security policy</a>:</p>
     4  <ul>
     5  <li>
     6  <p>encoding/pem: fix stack overflow in Decode</p>
     7  <p>A large (more than 5 MB) PEM input can cause a stack overflow in Decode, leading the program to crash.</p>
     8  <p>Thanks to Juho Nurminen of Mattermost who reported the error.</p>
     9  <p>This is CVE-2022-24675 and <a href="https://go.dev/issue/51853">https://go.dev/issue/51853</a>.</p>
    10  </li>
    11  <li>
    12  <p>crypto/elliptic: tolerate all oversized scalars in generic P-256</p>
    13  <p>A crafted scalar input longer than 32 bytes can cause P256().ScalarMult or P256().ScalarBaseMult to panic. Indirect uses through crypto/ecdsa and crypto/tls are unaffected. amd64, arm64, ppc64le, and s390x are unaffected.</p>
    14  <p>This was discovered thanks to a Project Wycheproof test vector.</p>
    15  <p>This is CVE-2022-28327 and <a href="https://go.dev/issue/52075">https://go.dev/issue/52075</a>.</p>
    16  </li>
    17  <li>
    18  <p>crypto/x509: non-compliant certificates can cause a panic in Verify on macOS in Go 1.18</p>
    19  <p>Verifying certificate chains containing certificates which are not compliant with RFC 5280 causes Certificate.Verify to panic on macOS.</p>
    20  <p>These chains can be delivered through TLS and can cause a crypto/tls or net/http client to crash.</p>
    21  <p>Thanks to Tailscale for doing weird things and finding this.</p>
    22  <p>This is CVE-2022-27536 and <a href="https://go.dev/issue/51759">https://go.dev/issue/51759</a>.</p>
    23  </li>
    24  </ul>
    25  <p>View the release notes for more information:<br>
    26  <a href="https://go.dev/doc/devel/release#go1.18.1">https://go.dev/doc/devel/release#go1.18.1</a></p>
    27  <p>You can download binary and source distributions from the Go website:<br>
    28  <a href="https://go.dev/dl/">https://go.dev/dl/</a></p>
    29  <p>To compile from source using a Git clone, update to the release with<br>
    30  <code>git checkout go1.18.1</code> and build as usual.</p>
    31  <p>Thanks to everyone who contributed to the releases.</p>
    32  <p>Cheers,<br>
    33  The Go team</p>