Go 1.16.1 and Go 1.15.9 versions are released

Golang team at Google released Go 1.16.1 and Go 1.15.9 versions.

As part of this releases, Go Language team addressed few security issues reported recently.

Fixed security Issues

  1. encoding/xml: infinite loop when using xml.NewTokenDecoder with a custom TokenReader

The Decode, DecodeElement and Skip methods of an xml.Decoder provided by xml.NewTokenDecoder may enter an infinite loop when operating on a custom xml.TokenReader which returns an EOF in the middle of an open XML element.

Sam Whited reported this issue.

Here is the commit which will fix the above issue. https://github.com/golang/go/commit/d86e53e896eca907ad67300c0bb495e3dd925358

  1. archive/zip: can panic when calling Reader.Open

The Reader.Open API in Go 1.16, will panic when used on a ZIP archive containing files that start with “../”.

Commit for the fix https://github.com/golang/go/commit/634d28d78ccbeb6e86f8bfeba030ea8be518f8fa

Update to Go 1.16.1 version

Use the below download link to update to Go 1.16.1 version

https://golang.org/dl/#go1.16.1

Update to Go 1.15.9 version

Use the below download link to update to Go 1.15.9 version

https://golang.org/dl/#go1.15.9

The above security issues will be addressed in Go 1.16.2 and Go 1.15.10 versions as well.

If you are not sure about which version to update then choose Go 1.16.1 version.

The announcement

https://groups.google.com/g/golang-announce/c/MfiLYjG-RAw/m/zzhWj5jPAQAJ

Edit this page on GitHub
← Go 1.16.4 and Go 1.15.12 versions are released
Go 1.16 version released →