Jun 01, 2021 Article blog
The Go language is still an iteration update this time, including
Go 1.14.7
and
Go 1.13.15
which focus on recently reported security issues. W
hy do
Go
publish two versions per update?
This is
Go
practice to maintain updates in both versions, such as
Go1.14
and
Go1.13
and if
Go1.15
is released, it will then become
Go1.15
and
Go1.14
(Recommended tutorial: Go web programming)
Because of security concerns, it is recommended that all users update the appropriate version (select
Go 1.14.7
if you are not sure which version).
The specific issues involved are as follows:
encoding/binary
ReadUvarint
and
ReadVarint
can read an unlimited number of bytes from invalid inputs. S
ome invalid input to
ReadUvarint
or
ReadVarint
may cause these functions to read an unlimited number of bytes from
ByteReader
parameter before returning an error. W
hen the caller reads data directly from the network, this can cause the processed input to exceed expectations and rely on
ReadUvarint
and
ReadVarint
to consume only a small limited number of bytes from invalid input. A
fter the update,
ReadUvarint
and
ReadVarint
now always return after consuming a certain number of bytes (especially
MaxVarintLen64
or 10). T
he results returned have not changed; these functions detect and return only some errors without having to read too much input.
issue
https://github.com/golang/go/issues/40618.
(Recommended micro-class: Go basic micro-course)
The issue was also fixed in the just-released version of
Go1.15 RC2
For more information
Go1.15
see documentation:
https://tip.golang.org/doc/go1.15,
it's August, and the official release of
Go1.15
should not be far away.