[security] Go 1.11.5 and Go 1.10.8 are released


#1

Hi gophers,

We have just released Go 1.11.5 and Go 1.10.8 to address a recently reported security issue. We recommend that all users update to one of these releases (if you’re not sure which, choose Go 1.11.5).

This DoS vulnerability in the crypto/elliptic implementations of the P-521 and P-384 elliptic curves may let an attacker craft inputs that consume excessive amounts of CPU.

These inputs might be delivered via TLS handshakes, X.509 certificates, JWT tokens, ECDH shares or ECDSA signatures. In some cases, if an ECDH private key is reused more than once, the attack can also lead to key recovery.

The issue is CVE-2019-6486 and Go issue golang.org/issue/29903. See the Go issue for more details.

Downloads are available at https://golang.org/dl for all supported platforms.

Cheers,

Julie (on behalf of the Go team)

Source: https://groups.google.com/forum/m/#!msg/golang-announce/mVeX35iXuSw/Flp8FX7QEAAJ


#2

Thank you @aris

This is relevant for anyone who is compiling Hugo from source in their systems.

For users who use the Hugo release binaries there is nothing to worry about (unless they also have Go installed in their systems).


#3

I’m pretty sure that we don’t use any functionality that is touched by the issue in this release.


#4

If you say so. You know best. I just wanted to point out that this has nothing to do with the release binaries.


#5

It would be relevant for the binaries is we used that functionality.