Go 1.17.7 發(fā)布

大家好，我是站長 polarisxu。

昨天，Go 發(fā)布了 1.17.7 和 1.16.14，這依然是兩個小版本，主要是安全更新。

具體包括三個安全問題修復(fù)：

• crypto/elliptic: fix IsOnCurve for big.Int values that are not valid coordinates

  Some big.Int values that are not valid field elements (negative or overflowing) might cause Curve.IsOnCurve to incorrectly return true. Operating on those values may cause a panic or an invalid curve operation. Note that Unmarshal will never return such values. Thanks to Guido Vranken for reporting this. This is CVE-2022-23806 and

  https://go.dev/issue/50974

• math/big: prevent large memory consumption in Rat.SetString

  An attacker can cause unbounded memory growth in a program using (*Rat).SetString due to an unhandled overflow. Thanks to the OSS-Fuzz project for discovering this issue and to Emmanuel Odeke (@odeke_et) for reporting it. This is CVE-2022-23772 and Go issue https://go.dev/issue/50699.

• cmd/go: prevent branches from materializing into versions

  A branch whose name resembles a version tag (such as "v1.0.0" or "subdir/v2.0.0-dev") can be considered a valid version by the go command. Materializing versions from branches might be unexpected and bypass ACLs that limit the creation of tags but not branches.

  This is CVE-2022-23773 and Go issue https://go.dev/issue/35671.

對大部分人應(yīng)該沒有影響。但如果你的項目涉及到以上包，請考慮升級。

可以用你喜歡的方式升級。這是官方推薦的：

Go 語言中文網(wǎng)也已經(jīng)準備好這兩個版本的安裝包了，下載地址：https://studygolang.com/dl。

常見問題：為什么發(fā)兩個版本？

官方一直維護最近的兩個主要版本，因為 Go1.18 還沒有正式發(fā)布，因此最近的兩個主要版本是：Go1.17.x 和 Go1.16.x。