Today, the Go team announced the release of Go 1.11.5 and Go 1.10.8. This version addresses a recently reported security issue.
Go team recommends all users to update to one of these releases. For users who are unsure of which one to choose, the team recommends Go 1.11.5.
The DoS vulnerability in the crypto/elliptic implementations of the P-521 and P-384 elliptic curves may let an attacker craft inputs that consume excessive amounts of CPU.
These inputs might be delivered via TLS handshakes, X.509 certificates, JWT tokens, ECDH shares or ECDSA signatures. In some cases, if an ECDH private key is reused more than once, the attack can also lead to key recovery.
There is an issue in the release tooling due to which go1.11.5.linux-amd64.tar.gz and go1.10.8.linux-amd64.tar.gz include two unnecessary directories in the root of the archive, “gocache” and “tmp”. The team members say that these issues are harmless and safe to remove.
They have also mentioned commands that can be used to extract only the necessary “go” directory from the archives. These commands would create a Go tree in /usr/local/go.
- tar -C /usr/local -xzf go1.11.5.linux-amd64.tar.gz go
- tar -C /usr/local -xzf go1.10.8.linux-amd64.tar.gz go
To know more about these releases in detail, visit Go’s official mailing thread.
