Go 发布了新版本:建议升级

共 3302字,需浏览 7分钟

 ·

2022-07-16 10:45

阅读本文大概需要 2 分钟。

大家好,我是 polarisxu。

今日,Go 官方发布了 Go 1.18.4 和 Go 1.17.12,主要是安全更新,而且这次涉及到了 9 个安全更新:会导致栈耗尽(stack exhaustion)。

具体包括:

  • net/http: improper sanitization of Transfer-Encoding header

    The HTTP/1 client accepted some invalid Transfer-Encoding headers as indicating a "chunked" encoding. This could potentially allow for request smuggling, but only if combined with an intermediate server that also improperly failed to reject the header as invalid.

    This is CVE-2022-1705 and https://go.dev/issue/53188.

  • When httputil.ReverseProxy.ServeHTTP was called with a Request.Header map containing a nil value for the X-Forwarded-For header, ReverseProxy would set the client IP as the value of the X-Forwarded-For header, contrary to its documentation. In the more usual case where a Director function set the X-Forwarded-For header value to nil, ReverseProxy would leave the header unmodified as expected.

    This is https://go.dev/issue/53423 and CVE-2022-32148.

    Thanks to Christian Mehlmauer for reporting this issue.

  • compress/gzip: stack exhaustion in Reader.Read

    Calling Reader.Read on an archive containing a large number of concatenated 0-length compressed files can cause a panic due to stack exhaustion.

    This is CVE-2022-30631 and Go issue https://go.dev/issue/53168.

  • encoding/xml: stack exhaustion in Unmarshal

    Calling Unmarshal on a XML document into a Go struct which has a nested field that uses the any field tag can cause a panic due to stack exhaustion.

    This is CVE-2022-30633 and Go issue https://go.dev/issue/53611.

  • encoding/xml: stack exhaustion in Decoder.Skip

    Calling Decoder.Skip when parsing a deeply nested XML document can cause a panic due to stack exhaustion.

    The Go Security team discovered this issue, and it was independently reported by Juho Nurminen of Mattermost.

    This is CVE-2022-28131 and Go issue https://go.dev/issue/53614.

  • encoding/gob: stack exhaustion in Decoder.Decode

    Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion.

    This is CVE-2022-30635 and Go issue https://go.dev/issue/53615.

  • path/filepath: stack exhaustion in Glob

    Calling Glob on a path which contains a large number of path separators can cause a panic due to stack exhaustion.

    Thanks to Juho Nurminen of Mattermost for reporting this issue.

    This is CVE-2022-30632 and Go issue https://go.dev/issue/53416.

  • io/fs: stack exhaustion in Glob

    Calling Glob on a path which contains a large number of path separators can cause a panic due to stack exhaustion.

    This is CVE-2022-30630 and Go issue https://go.dev/issue/53415.

  • go/parser: stack exhaustion in all Parse* functions

    Calling any of the Parse functions on Go source code which contains deeply nested types or declarations can cause a panic due to stack exhaustion.

    Thanks to Juho Nurminen of Mattermost for reporting this issue.

    This is CVE-2022-1962 and Go issue https://go.dev/issue/53616.

这里是相关 issue 的列表:https://github.com/golang/go/issues?q=milestone%3AGo1.18.4+label%3ACherryPickApproved。

建议大家升级到最新版本(Go1.18.4 或 Go1.17.12)。

可以通过官方的方式升级:

Go 语言中文网也为大家准备了新的安装包下载:https://studygolang.com/dl




往期推荐


我是 polarisxu,北大硕士毕业,曾在 360 等知名互联网公司工作,10多年技术研发与架构经验!2012 年接触 Go 语言并创建了 Go 语言中文网!著有《Go语言编程之旅》、开源图书《Go语言标准库》等。


坚持输出技术(包括 Go、Rust 等技术)、职场心得和创业感悟!欢迎关注「polarisxu」一起成长!也欢迎加我微信好友交流:gopherstudio


浏览 96
点赞
评论
收藏
分享

手机扫一扫分享

分享
举报
评论
图片
表情
推荐
点赞
评论
收藏
分享

手机扫一扫分享

分享
举报