专栏首页Golang语言社区[security] Go 1.11.3 and Go 1.10.6 pre-announcement

[security] Go 1.11.3 and Go 1.10.6 pre-announcement

Dmitri Shuralyov

Hello gophers,

We plan to issue Go 1.11.3 and Go 1.10.6 on Wednesday, December 12 at

approximately 8 pm UTC (12 pm PST, 3 pm EST). These are minor releases to fix a security issue.

Following our policy at https://golang.org/security, this is the

pre-announcement of those releases.

Thanks,

Dmitri on behalf of the Go team


Go Security Policy

ImplementationReporting a Security BugFlagging Existing Issues as Security-relatedDisclosure ProcessReceiving Security UpdatesComments on This PolicyPGP Key for security@golang.org

  • Implementation
  • Reporting a Security Bug
  • Flagging Existing Issues as Security-related
  • Disclosure Process
  • Receiving Security Updates
  • Comments on This Policy
  • PGP Key for security@golang.org

Implementation

Reporting a Security Bug

Please report to us any issues you find. This document explains how to do that and what to expect in return.

All security bugs in the Go distribution should be reported by email to security@golang.org. This mail is delivered to a small security team. Your email will be acknowledged within 24 hours, and you'll receive a more detailed response to your email within 72 hours indicating the next steps in handling your report. For critical problems, you can encrypt your report using our PGP key (listed below).

Please use a descriptive subject line for your report email. After the initial reply to your report, the security team will endeavor to keep you informed of the progress being made towards a fix and full announcement. These updates will be sent at least every five days. In reality, this is more likely to be every 24-48 hours.

If you have not received a reply to your email within 48 hours or you have not heard from the security team for the past five days please contact the Go security team directly:

  • Primary security coordinator: Filippo Valsorda (public key).
  • Secondary coordinator: Adam Langley (public key).
  • If you receive no response, mail golang-dev@googlegroups.com or use the golang-dev web interface.

Please note that golang-dev is a public discussion forum. When escalating on this list, please do not disclose the details of the issue. Simply state that you're trying to reach a member of the security team.

If you believe that an existing issue is security-related, we ask that you send an email to security@golang.org. The email should include the issue ID and a short description of why it should be handled according to this security policy.

Disclosure Process

The Go project uses the following disclosure process:

  1. Once the security report is received it is assigned a primary handler. This person coordinates the fix and release process.
  2. The issue is confirmed and a list of affected software is determined.
  3. Code is audited to find any potential similar problems.
  4. If it is determined, in consultation with the submitter, that a CVE-ID is required, the primary handler obtains one via email to oss-distros.
  5. Fixes are prepared for the two most recent major releases and the head/master revision. These fixes are not yet committed to the public repository.
  6. A notification is sent to the golang-announce mailing list to give users time to prepare their systems for the update.
  7. Three working days following this notification, the fixes are applied to the public repository and a new Go release is issued.
  8. On the date that the fixes are applied, announcements are sent to golang-announce, golang-dev, and golang-nuts.

This process can take some time, especially when coordination is required with maintainers of other projects. Every effort will be made to handle the bug in as timely a manner as possible, however it's important that we follow the process described above to ensure that disclosures are handled consistently.

For security issues that include the assignment of a CVE-ID, the issue is listed publicly under the "Golang" product on the CVEDetails website as well as the National Vulnerability Disclosure site.

Receiving Security Updates

The best way to receive security announcements is to subscribe to the golang-announce mailing list. Any messages pertaining to a security issue will be prefixed with [security].

Comments on This Policy

If you have any suggestions to improve this policy, please send an email to golang-dev@golang.org for discussion.

PGP Key for security@golang.org

We accept PGP-encrypted email, but the majority of the security team are not regular PGP users so it's somewhat inconvenient. Please only use PGP for critical security reports.

-----BEGIN PGP PUBLIC KEY BLOCK----- Comment: GPGTools - https://gpgtools.org mQINBFXI1h0BEADZdm05GDFWvjmQKutUVb0cJKS+VR+6XU3g/YQZGC8tnIL6i7te +fPJHfQc2uIw0xeBgZX4Ni/S8yIqsbIjqYeaToX7QFUufJDQwrmlQRDVAvvT5HBT J80JEs7yHRreFoLzB6dnWehWXzWle4gFKeIy+hvLrYquZVvbeEYTnX7fNzZg0+5L ksvj7lnQlJIy1l3sL/7uPr9qsm45/hzd0WjTQS85Ry6Na3tMwRpqGENDh25Blz75 8JgK9JmtTJa00my1zzeCXU04CKKEMRbkMLozzudOH4ZLiLWcFiKRpeCn860wC8l3 oJcyyObuTSbr9o05ra3On+epjCEFkknGX1WxPv+TV34i0a23AtuVyTCloKb7RYXc 7mUaskZpU2rFBqIkzZ4MQJ7RDtGlm5oBy36j2QL63jAZ1cKoT/yvjJNp2ObmWaVF X3tk/nYw2H0YDjTkTCgGtyAOj3Cfqrtsa5L0jG5K2p4RY8mtVgQ5EOh7QxuS+rmN JiA39SWh7O6uFCwkz/OCXzqeh6/nP10HAb9S9IC34QQxm7Fhd0ZXzEv9IlBTIRzk xddSdACPnLE1gJcFHxBd2LTqS/lmAFShCsf8S252kagKJfHRebQJZHCIs6kT9PfE 0muq6KRKeDXv01afAUvoB4QW/3chUrtgL2HryyO8ugMu7leVGmoZhFkIrQARAQAB tCZHbyBTZWN1cml0eSBUZWFtIDxzZWN1cml0eUBnb2xhbmcub3JnPokCPQQTAQoA JwUCVcjWHQIbAwUJB4YfgAULCQgHAwUVCgkICwUWAgMBAAIeAQIXgAAKCRA6RtGR eVpYOLnDD/9YVTd6DTwdJq6irVfM/ICPlPTXB0JLERqCI1Veptcp56eQoJ0XWGQp tkGlgbvmCzFo0B+65Te7YA4R3oyBCXd6JgyWQQPy5p60FHyuuCPVAReclSWyt9f2 Yj/u4DjghKhELOvPiI96egcU3g9jrEEcPjm7JYkc9M2gVSNOnnJvcD7wpQJNCzon 51eMZ1ZyfA5UCBTa0SaT9eXg5zwNlYQnB6ZF6TjXezkhLqlTsBuHxoNVf+9vCC0o ZKIM2ovptMx9eEguTDKWaQ7tero7Zs/q5fwk/MDzM/LGJ9aXy2RCtqBxv46vDS7G fCNq+aPD/wyFd6hxQkvkua6hgZwYT+cJWHYA2Yv0LO3BYOJdjfc+j2hjv+mC9lF0 UpWhCVJv3hHoFaxnz62GdROzf2wXz6aR9Saj1rYSvqT9jC20VInxqMufXNN2sbpo Kyk6MTbAeepphQpfAWQv+ltWgBiEjuFxYdwv/vmw20996JV7O8nqkeCUW84B6su+ Y3bbdP9o3DBtOT0j9LTB/FucmdNCNHoO+EnNBKJd6FoYTGLWi3Rq9DLx2V9tdJHo Bn67dymcl+iyp337HJNY+qS+KCgoqAWlxkzXRiXKb/yluhXdIkqhg4kL8JPAJvfS cs7Zn67Mx04ixJnRMYCDmxtD4xPsFMzM7g8m3PQp+nE7WhujM/ImM7kCDQRVyNYd ARAAlw9H/1ybQs4K3XKA1joII16rta9KS7ew76+agXo0jeSRwMEQfItOxYvfhmo8 +ydn5TWsTbifGU8L3+EBTMRRyzWhbaGO0Wizw7BTVJ7n5JW+ndPrcUpp/ilUk6AU VxaO/8/R+9+VJZpoeoLHXYloFGNuX58GLIy1jSBvLsLl/Ki5IOrHvD1GK6TftOl5 j8IPC1LSBrwGJO803x7wUdQP/tsKN/QPR8pnBntrEgrQFSI+Q3qrCvVMmXnBlYum jfOBt8pKMgB9/ix+HWN8piQNQiJxD+XjEM6XwUmQqIR7y5GINKWgundCmtYIzVgY 9p2Br6UPrTJi12LfKv5s2R6NnxFHv/ad29CpPTeLJRsSqFfqBL969BCpj/isXmQE m4FtziZidARXo12KiGAnPF9otirNHp4+8hwNB3scf7cI53y8nZivO9cwI7BoClY6 ZIabjDcJxjK+24emoz3mJ5SHpZpQLSb9o8GbLLfXOq+4uzEX2A30fhrtsQb/x0GM 4v3EU1aP2mjuksyYbgldtY64tD35wqAA9mVl5Ux+g1HoUBvLw0h+lzwh370NJw// ITvBQVUtDMB96rfIP4fL5pYl5pmRz+vsuJ0iXzm05qBgKfSqO7To9SWxQPdX89R4 u0/XVAlw0Ak9Zceq3W96vseEUTR3aoZCMIPiwfcDaq60rWUAEQEAAYkCJQQYAQoA DwUCVcjWHQIbDAUJB4YfgAAKCRA6RtGReVpYOEg/EADZcIYw4q1jAbDkDy3LQG07 AR8QmLp/RDp72RKbCSIYyvyXEnmrhUg98lUG676qTH+Y7dlEX107dLhFuKEYyV8D ZalrFQO/3WpLWdIAmWrj/wq14qii1rgmy96Nh3EqG3CS50HEMGkW1llRx2rgBvGl pgoTcwOfT+h8s0HlZdIS/cv2wXqwPgMWr1PIk3as1fu1OH8n/BjeGQQnNJEaoBV7 El2C/hz3oqf2uYQ1QvpU23F1NrstekxukO8o2Y/fqsgMJqAiNJApUCl/dNhK+W57 iicjvPirUQk8MUVEHXKhWIzYxon6aEUTx+xyNMBpRJIZlJ61FxtnZhoPiAFtXVPb +95BRJA9npidlVFjqz9QDK/4NSnJ3KaERR9tTDcvq4zqT22Z1Ai5gWQKqogTz5Mk F+nZwVizW0yi33id9qDpAuApp8o6AiyH5Ql1Bo23bvqS2lMrXPIS/QmPPsA76CBs lYjQwwz8abUD1pPdzyYtMKZUMwhicSFOHFDM4oQN16k2KJuntuih8BKVDCzIOq+E KHyeh1BqWplUtFh1ckxZlXW9p9F7TsWjtfcKaY8hkX0Cr4uVjwAFIjLcAxk67ROe huEb3Gt+lwJz6aNnZUU87ukMAxRVR2LL0btdxgc6z8spl66GXro/LUkXmAdyOEMV UDrmjf9pr7o00hC7lCHFzw== =WE0r -----END PGP PUBLIC KEY BLOCK-----


版权申明:内容来源网络,版权归原创者所有。除非无法确认,我们都会标明作者及出处,如有侵权烦请告知,我们会立即删除并表示歉意。谢谢。

本文分享自微信公众号 - Golang语言社区(Golangweb)

原文出处及转载信息见文内详细说明,如有侵权,请联系 yunjia_community@tencent.com 删除。

原始发表时间:2018-12-09

本文参与腾讯云自媒体分享计划,欢迎正在阅读的你也加入,一起分享。

我来说两句

0 条评论
登录 后参与评论

相关文章

  • go语言最快最好运用最广的web框架比较(大多数人不了解的特性)

    如果你为自己设计一个小应用程序,你可能不需要一个Web框架,但如果你正在进行生产,那么你肯定需要一个,一个好的应用程序。

    李海彬
  • Django小技巧02: humanize

    Django 附带一组模板过滤器, 可为您的数据添加人性化选项。它用于将数字或者日期转化为人类友好可读的格式.

    用户1416054
  • AI科研绘图(二):模式图的基本画法

    经过上次对基本元素和工具的学习(AI科研绘图(一):零基础入门和基本图形绘制),我们基本上掌握了最常用和基础的工具的用法。

    生信宝典
  • einx: 一个用Go构建的游戏服务器

    a framework in golang for game server or app server.

    李海彬
  • 业界 | 专访「AI 教父」吴恩达:AI 将改变所有人类工作,下次寒冬不会到来

    AI 科技评论按:近日,「人工智能教父」、Google 深度学习研究团队联合创始人吴恩达在 The Future of Everything 杂志的采访中表示,...

    AI科技评论
  • ios 百度地图获取GPS

    百度地图默认返回 百度经纬度坐标,如需要返回GPS坐标则设置CoordinateType

    赵哥窟
  • 在线视频加密功能解析

    在线视频加密可以防范视频所有者辛苦录制的视频课程被恶意盗用,在线视频加密可以实现哪些功能呢?

    点量小崔
  • 谷歌宣布AI for Social Good计划,包括一项2500万美元的竞赛

    Google AI今天宣布了AI for Social Good计划,这是一项将核心AI研究和工程应用于谷歌内部,以及更广泛的AI生态系统中的社会公益项目。

    AiTechYun
  • IBM收购红帽

    上个月,红帽来集团培训课程,中华区的副总裁讲了讲他们的云服务,还有devops,全程120多页PPT,没有几个中文字,全是英文术语,听起来挺爽,就是就是有点耳鸣...

    赵腰静
  • 洛谷P2196 挖地雷(dp)

    attack

扫码关注云+社区

领取腾讯云代金券