==================================================================== CERT-Renater Note d'Information No. 2021/VULN162 _____________________________________________________________________ DATE : 15/03/2021 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running Go versions prior to 1.16.1, 1.15.9. ===================================================================== https://groups.google.com/g/golang-announce/c/MfiLYjG-RAw _____________________________________________________________________ Go 1.16.1 and Go 1.15.9 are released Katie Hockman à golang-nuts Hi gophers, We have just released Go 1.16.1 and Go 1.15.9 to address recently reported security issues. We recommend that all users update to one of these releases (if you’re not sure which, choose Go 1.16.1). encoding/xml: infinite loop when using xml.NewTokenDecoder with a custom TokenReader The Decode, DecodeElement, and Skip methods of an xml.Decoder provided by xml.NewTokenDecoder may enter an infinite loop when operating on a custom xml.TokenReader which returns an EOF in the middle of an open XML element. Thanks to Sam Whited for reporting this issue. This issue is CVE-2021-27918 and Go issue golang.org/issue/44913. archive/zip: panic when calling Reader.Open The Reader.Open API, new in Go 1.16, will panic when used on a ZIP archive containing files that start with “../”. This issue is CVE-2021-27919 and Go issue golang.org/issue/44916. The upcoming minor releases of Go 1.16.2 and 1.15.10 will also include the fixes above. Downloads are available at https://golang.org/dl for all supported platforms. Note: we are proposing a new security policy for vulnerabilities in Go releases. Join the discussion at golang.org/issue/44918. Thank you, Katie on behalf of the Go team ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================