oss-sec mailing list archives
Go 1.23.1 and Go 1.22.7 released with 3 security fixes
From: Alan Coopersmith <alan.coopersmith () oracle com>
Date: Thu, 5 Sep 2024 10:21:27 -0700
https://x.com/golang/status/1831719877121339614 announces: Go 1.23.1 and 1.22.7 are released! Security: Includes security fixes for encoding/gob, go/build/constraint, and go/parser https://groups.google.com/g/golang-announce/c/K-cEzDeCtpc further says:
We have just released Go versions 1.23.1 and 1.22.7, minor point releases.
These minor releases include 3 security fixes following the security policy:
- go/parser: stack exhaustion in all Parse* functions
Calling any of the Parse functions on Go source code which contains
deeply nested literals can cause a panic due to stack exhaustion.
This is CVE-2024-34155 and Go issue https://go.dev/issue/69138.
- encoding/gob: stack exhaustion in Decoder.Decode
Calling Decoder.Decode on a message which contains deeply nested
structures can cause a panic due to stack exhaustion.
This is a follow-up to CVE-2022-30635.
Thanks to Md Sakib Anwar of The Ohio State University (anwa... () osu edu)
for reporting this issue.
This is CVE-2024-34156 and Go issue https://go.dev/issue/69139.
- go/build/constraint: stack exhaustion in Parse
Calling Parse on a "// +build" build tag line with deeply nested
expressions can cause a panic due to stack exhaustion.
This is CVE-2024-34158 and Go issue https://go.dev/issue/69141.
View the release notes for more information:
https://go.dev/doc/devel/release#go1.23.1
Current thread:
- Go 1.23.1 and Go 1.22.7 released with 3 security fixes Alan Coopersmith (Sep 05)
