
[security] Go 1.5.4 and Go 1.6.1 pre-announcement - sadlil
https://groups.google.com/forum/#!topic/golang-nuts/MmSbFHLPo8g
======
codezero
Text reads:

We plan to issue Go 1.5.4 and Go 1.6,1 on Wednesday April 13 at approximately
2am UTC. These are minor releases to fix two security issues.

Following our policy at
[https://golang.org/security](https://golang.org/security), this is the pre-
announcement of those releases.

They will be followed by a more significant 1.6.2 point release that will fix
a number of issues:
[https://github.com/golang/go/issues?utf8=%E2%9C%93&q=milesto...](https://github.com/golang/go/issues?utf8=%E2%9C%93&q=milestone%3AGo1.6.2)

Cheers,

Andrew, on behalf of the Go team

------
codys
Looking at the issue tracker (
[https://github.com/golang/go/issues?q=is%3Aopen+is%3Aissue+m...](https://github.com/golang/go/issues?q=is%3Aopen+is%3Aissue+milestone%3AGo1.6.1)
) looks like a windows DLL preload attack & another unspecified bug (currently
a placeholder).

If we take a look at the release branch though, it appears it might be crypto
related: [https://github.com/golang/go/commits/release-
branch.go1.6](https://github.com/golang/go/commits/release-branch.go1.6)

[https://github.com/golang/go/commit/4afe4c803ec378d7a0d7fbc3...](https://github.com/golang/go/commit/4afe4c803ec378d7a0d7fbc38d961df541d72134)

[https://github.com/golang/go/commit/2d8ecac3d0dbceed8830a43a...](https://github.com/golang/go/commit/2d8ecac3d0dbceed8830a43a3e752770577ffed1)

~~~
tptacek
Never say never, but I'm not super concerned about those crypto changes. RSA
decrypt in Go is only used for actual decrypt, so parameter checking of the
RSA privkey seems benign. And you don't usually have an attacker who can
choose the modulus in your curve algorithm.

~~~
tyho
"""

Go has an infinite loop in several big integer routines that makes Go programs
vulnerable to remote denial of service attacks. Programs using HTTPS client
authentication or the Go ssh server libraries are both exposed to this
vulnerability. This is being addressed in the following CL:
[https://golang.org/cl/21533](https://golang.org/cl/21533)

"""

[http://seclists.org/oss-sec/2016/q2/11](http://seclists.org/oss-
sec/2016/q2/11)

~~~
tptacek
Ahhhhh, I didn't consider DOS.

------
Strom
02:00 UTC seems a bit of an odd choice if the goal is to have people update
quickly. Something like 15:00 UTC would be better as it's 08:00 PST & 18:00
Moscow.

------
dang
An announcement of an announcement is the kind of thing we moderate off the HN
front page, since the real announcement will get posted when it happens.

------
Scarbutt
_Go is an open source programming language that makes it easy to build simple,
reliable, and efficient software._

Is use of Go meant just for simple software?

~~~
Zikes
Not exactly.

[https://github.com/docker/docker](https://github.com/docker/docker)

[https://github.com/kubernetes/kubernetes](https://github.com/kubernetes/kubernetes)

[https://github.com/google/cayley](https://github.com/google/cayley)

