

Go 1.3.2 is released – fixes tls security bug - simme_
https://groups.google.com/forum/#!topic/golang-nuts/eeOHNw_shwU

======
simme_
Andre Gerrand:

    
    
      Hi gophers,
      
      We've just released Go version 1.3.2, a minor point release.
      
      This release includes bug fixes to cgo and the crypto/tls package.
          https://golang.org/doc/devel/release.html#go1.3.minor
    
      The crpyto/tls fix addresses a security bug that affects programs that use crypto/tls to implement a TLS server from Go 1.1 onwards. If the server enables TLS client authentication using certificates (this is rare) and explicitly sets SessionTicketsDisabled to true in the tls.Config, then a malicious client can falsely assert ownership of any client certificate it wishes. This issue was discovered internally and there is no evidence of exploitation.
      
      You can download binary and source distributions from the Go web site:
          https://golang.org/dl/
    
      To compile from source using a Mercurial checkout, update to the release with "hg update release" and build as usual.
    
      Thanks to everyone who contributed to the release.
    
      Andrew

