刚刚,Go 发布了 1.17.7 和 1.16.14,这依然是两个小版本,主要是安全更新。
具体包括三个安全问题修复:
- crypto/elliptic: fix IsOnCurve for big.Int values that are not valid coordinates
Some big.Int values that are not valid field elements (negative or overflowing)
might cause Curve.IsOnCurve to incorrectly return true. Operating on those values
may cause a panic or an invalid curve operation. Note that Unmarshal will never
return such values.
Thanks to Guido Vranken for reporting this.
This is CVE-2022-23806 and
https://go.dev/issue/50974
- math/big: prevent large memory consumption in Rat.SetString
An attacker can cause unbounded memory growth in a program using (*Rat).SetString
due to an unhandled overflow.
Thanks to the OSS-Fuzz project for discovering this issue and to Emmanuel Odeke
(@odeke_et) for reporting it.
This is CVE-2022-23772 and Go issue https://go.dev/issue/50699.
- cmd/go: prevent branches from materializing into versions
A branch whose name resembles a version tag (such as "v1.0.0" or "subdir/v2.0.0-dev")
can be considered a valid version by the go command. Materializing versions from
branches might be unexpected and bypass ACLs that limit the creation of tags but not
branches.
This is CVE-2022-23773 and Go issue https://go.dev/issue/35671.
对大部分人应该没有影响。但如果你的项目涉及到以上包,请考虑升级。
可以用你喜欢的方式升级。这是官方推荐的:
Go 语言中文网也已经准备好这两个版本的安装包了,下载地址:<https://studygolang.com/dl>。
## 常见问题:为什么发两个版本?
官方一直维护最近的两个主要版本,因为 Go1.18 还没有正式发布,因此最近的两个主要版本是:Go1.17.x 和 Go1.16.x。
有疑问加站长微信联系(非本文作者)
