Golang team at Google released Go 1.16.4 and Go 1.15.12 versions.
As part of this releases, Go Language team addressed a security fix according to the new security ploicy.
ReadRequest and ReadResponse in net/http can hit an unrecoverable panic when reading a very large header (over 7MB on 64-bit architectures, or over 4MB on 32-bit ones).
Transport and Client are vulnerable and the program can be made to crash by a malicious server.
Server is not vulnerable by default, but can be if the default max header of 1MB is overridden by setting
Server.MaxHeaderBytes to a higher value, in which case the program can be made to crash by a malicious client.
This also affects golang.org/x/net/http2/h2c and
HeaderValuesContainsToken in golang.org/x/net/http/httpguts, and is fixed in email@example.com.
Update to Go 1.16.4 version
Use the below download link to update to Go 1.16.4 version
Update to Go 1.15.12 version
Use the below download link to update to Go 1.15.12 version
The official announcement