[security] Go 1.11.5 and Go 1.10.8 are released

aris · January 24, 2019, 5:42pm

Hi gophers,

We have just released Go 1.11.5 and Go 1.10.8 to address a recently reported security issue. We recommend that all users update to one of these releases (if you’re not sure which, choose Go 1.11.5).

This DoS vulnerability in the crypto/elliptic implementations of the P-521 and P-384 elliptic curves may let an attacker craft inputs that consume excessive amounts of CPU.

These inputs might be delivered via TLS handshakes, X.509 certificates, JWT tokens, ECDH shares or ECDSA signatures. In some cases, if an ECDH private key is reused more than once, the attack can also lead to key recovery.

The issue is CVE-2019-6486 and Go issue golang.org/issue/29903. See the Go issue for more details.

Downloads are available at All releases - The Go Programming Language for all supported platforms.

Cheers,

Julie (on behalf of the Go team)

Source: Redirecting to Google Groups

alexandros · January 24, 2019, 5:57pm

Thank you @aris

This is relevant for anyone who is compiling Hugo from source in their systems.

For users who use the Hugo release binaries there is nothing to worry about (unless they also have Go installed in their systems).

bep · January 24, 2019, 6:26pm

I’m pretty sure that we don’t use any functionality that is touched by the issue in this release.

alexandros · January 24, 2019, 6:43pm

If you say so. You know best. I just wanted to point out that this has nothing to do with the release binaries.

bep · January 24, 2019, 6:56pm

It would be relevant for the binaries is we used that functionality.

Topic		Replies	Views
Hugo 0.121.2 Released Announcements	3	530	January 5, 2024
Where does the "build with the last 2 Go versions" promise come from? dev	1	821	August 25, 2018
Hugo 0.50 Released Announcements	18	1402	December 21, 2018
Hugo 0.38 Released Announcements	14	1297	April 4, 2018
Hugo 0.48 will be >= Go 1.11 Only Announcements	27	3420	August 28, 2018

[security] Go 1.11.5 and Go 1.10.8 are released

Related topics