syscall

package standard library

Go to main page

Versions in this module

go1

go1.20.2

Mar 7, 2023

go1.20.1

Feb 14, 2023

go1.20

Feb 1, 2023

Changes in this version

+ const CLONE_CLEAR_SIGHAND — linux/amd64

+ const CLONE_INTO_CGROUP — linux/amd64

+ const CLONE_NEWCGROUP — linux/amd64

+ const CLONE_NEWTIME — linux/amd64

+ const CLONE_PIDFD — linux/amd64

type SysProcAttr — linux/amd64

+ CgroupFD int

+ UseCgroupFD bool

go1.20rc3

Jan 12, 2023

go1.20rc2

Jan 4, 2023

go1.20rc1

Dec 7, 2022

go1.19.7

Mar 7, 2023

go1.19.6

Feb 14, 2023

go1.19.5

Jan 10, 2023

go1.19.4

Dec 6, 2022

go1.19.3

Nov 1, 2022

go1.19.2

Oct 4, 2022 GO-2022-1095

GO-2022-1095: Due to unsanitized NUL values, attackers may be able to maliciously set environment variables on Windows. In syscall.StartProcess and os/exec.Cmd, invalid environment variable values containing NUL values are not properly checked for. A malicious environment variable value can exploit this behavior to set a value for a different environment variable. For example, the environment variable string "A=B\x00C=D" sets the variables "A=B" and "C=D".

go1.19.1

Sep 6, 2022 GO-2022-1095

GO-2022-1095: Due to unsanitized NUL values, attackers may be able to maliciously set environment variables on Windows. In syscall.StartProcess and os/exec.Cmd, invalid environment variable values containing NUL values are not properly checked for. A malicious environment variable value can exploit this behavior to set a value for a different environment variable. For example, the environment variable string "A=B\x00C=D" sets the variables "A=B" and "C=D".

go1.19

Aug 2, 2022 GO-2022-1095

GO-2022-1095: Due to unsanitized NUL values, attackers may be able to maliciously set environment variables on Windows. In syscall.StartProcess and os/exec.Cmd, invalid environment variable values containing NUL values are not properly checked for. A malicious environment variable value can exploit this behavior to set a value for a different environment variable. For example, the environment variable string "A=B\x00C=D" sets the variables "A=B" and "C=D".

go1.19rc2

Jul 12, 2022

go1.19rc1

Jul 6, 2022

go1.19beta1

Jun 9, 2022

go1.18.10

Jan 10, 2023

go1.18.9

Dec 6, 2022

go1.18.8

Nov 1, 2022

go1.18.7

Oct 4, 2022 GO-2022-1095

GO-2022-1095: Due to unsanitized NUL values, attackers may be able to maliciously set environment variables on Windows. In syscall.StartProcess and os/exec.Cmd, invalid environment variable values containing NUL values are not properly checked for. A malicious environment variable value can exploit this behavior to set a value for a different environment variable. For example, the environment variable string "A=B\x00C=D" sets the variables "A=B" and "C=D".

go1.18.6

Sep 6, 2022 GO-2022-1095

GO-2022-1095: Due to unsanitized NUL values, attackers may be able to maliciously set environment variables on Windows. In syscall.StartProcess and os/exec.Cmd, invalid environment variable values containing NUL values are not properly checked for. A malicious environment variable value can exploit this behavior to set a value for a different environment variable. For example, the environment variable string "A=B\x00C=D" sets the variables "A=B" and "C=D".

go1.18.5

Aug 1, 2022 GO-2022-1095

GO-2022-1095: Due to unsanitized NUL values, attackers may be able to maliciously set environment variables on Windows. In syscall.StartProcess and os/exec.Cmd, invalid environment variable values containing NUL values are not properly checked for. A malicious environment variable value can exploit this behavior to set a value for a different environment variable. For example, the environment variable string "A=B\x00C=D" sets the variables "A=B" and "C=D".

go1.18.4

Jul 12, 2022 GO-2022-1095

GO-2022-1095: Due to unsanitized NUL values, attackers may be able to maliciously set environment variables on Windows. In syscall.StartProcess and os/exec.Cmd, invalid environment variable values containing NUL values are not properly checked for. A malicious environment variable value can exploit this behavior to set a value for a different environment variable. For example, the environment variable string "A=B\x00C=D" sets the variables "A=B" and "C=D".

go1.18.3

Jun 1, 2022 GO-2022-1095

GO-2022-1095: Due to unsanitized NUL values, attackers may be able to maliciously set environment variables on Windows. In syscall.StartProcess and os/exec.Cmd, invalid environment variable values containing NUL values are not properly checked for. A malicious environment variable value can exploit this behavior to set a value for a different environment variable. For example, the environment variable string "A=B\x00C=D" sets the variables "A=B" and "C=D".

go1.18.2

May 10, 2022 GO-2022-1095

GO-2022-1095: Due to unsanitized NUL values, attackers may be able to maliciously set environment variables on Windows. In syscall.StartProcess and os/exec.Cmd, invalid environment variable values containing NUL values are not properly checked for. A malicious environment variable value can exploit this behavior to set a value for a different environment variable. For example, the environment variable string "A=B\x00C=D" sets the variables "A=B" and "C=D".

go1.18.1

Apr 12, 2022 GO-2022-0493GO-2022-1095

GO-2022-0493: When called with a non-zero flags parameter, the Faccessat function can incorrectly report that a file is accessible.

GO-2022-1095: Due to unsanitized NUL values, attackers may be able to maliciously set environment variables on Windows. In syscall.StartProcess and os/exec.Cmd, invalid environment variable values containing NUL values are not properly checked for. A malicious environment variable value can exploit this behavior to set a value for a different environment variable. For example, the environment variable string "A=B\x00C=D" sets the variables "A=B" and "C=D".

go1.18

Mar 15, 2022 GO-2022-0493GO-2022-1095

GO-2022-0493: When called with a non-zero flags parameter, the Faccessat function can incorrectly report that a file is accessible.

GO-2022-1095: Due to unsanitized NUL values, attackers may be able to maliciously set environment variables on Windows. In syscall.StartProcess and os/exec.Cmd, invalid environment variable values containing NUL values are not properly checked for. A malicious environment variable value can exploit this behavior to set a value for a different environment variable. For example, the environment variable string "A=B\x00C=D" sets the variables "A=B" and "C=D".

Changes in this version

type Errno — windows/amd64

+ func SyscallN(trap uintptr, args ...uintptr) (r1, r2 uintptr, err Errno)

go1.18rc1

Feb 16, 2022 GO-2022-1095

GO-2022-1095: Due to unsanitized NUL values, attackers may be able to maliciously set environment variables on Windows. In syscall.StartProcess and os/exec.Cmd, invalid environment variable values containing NUL values are not properly checked for. A malicious environment variable value can exploit this behavior to set a value for a different environment variable. For example, the environment variable string "A=B\x00C=D" sets the variables "A=B" and "C=D".

go1.18beta2

Jan 31, 2022 GO-2022-1095

GO-2022-1095: Due to unsanitized NUL values, attackers may be able to maliciously set environment variables on Windows. In syscall.StartProcess and os/exec.Cmd, invalid environment variable values containing NUL values are not properly checked for. A malicious environment variable value can exploit this behavior to set a value for a different environment variable. For example, the environment variable string "A=B\x00C=D" sets the variables "A=B" and "C=D".

go1.18beta1

Dec 14, 2021 GO-2022-1095

GO-2022-1095: Due to unsanitized NUL values, attackers may be able to maliciously set environment variables on Windows. In syscall.StartProcess and os/exec.Cmd, invalid environment variable values containing NUL values are not properly checked for. A malicious environment variable value can exploit this behavior to set a value for a different environment variable. For example, the environment variable string "A=B\x00C=D" sets the variables "A=B" and "C=D".

go1.17.13

Aug 1, 2022 GO-2022-1095

GO-2022-1095: Due to unsanitized NUL values, attackers may be able to maliciously set environment variables on Windows. In syscall.StartProcess and os/exec.Cmd, invalid environment variable values containing NUL values are not properly checked for. A malicious environment variable value can exploit this behavior to set a value for a different environment variable. For example, the environment variable string "A=B\x00C=D" sets the variables "A=B" and "C=D".

go1.17.12

Jul 12, 2022 GO-2022-1095

GO-2022-1095: Due to unsanitized NUL values, attackers may be able to maliciously set environment variables on Windows. In syscall.StartProcess and os/exec.Cmd, invalid environment variable values containing NUL values are not properly checked for. A malicious environment variable value can exploit this behavior to set a value for a different environment variable. For example, the environment variable string "A=B\x00C=D" sets the variables "A=B" and "C=D".

go1.17.11

Jun 1, 2022 GO-2022-1095

GO-2022-1095: Due to unsanitized NUL values, attackers may be able to maliciously set environment variables on Windows. In syscall.StartProcess and os/exec.Cmd, invalid environment variable values containing NUL values are not properly checked for. A malicious environment variable value can exploit this behavior to set a value for a different environment variable. For example, the environment variable string "A=B\x00C=D" sets the variables "A=B" and "C=D".

go1.17.10

May 10, 2022 GO-2022-1095

GO-2022-1095: Due to unsanitized NUL values, attackers may be able to maliciously set environment variables on Windows. In syscall.StartProcess and os/exec.Cmd, invalid environment variable values containing NUL values are not properly checked for. A malicious environment variable value can exploit this behavior to set a value for a different environment variable. For example, the environment variable string "A=B\x00C=D" sets the variables "A=B" and "C=D".

go1.17.9

Apr 12, 2022 GO-2022-0493GO-2022-1095

GO-2022-0493: When called with a non-zero flags parameter, the Faccessat function can incorrectly report that a file is accessible.

GO-2022-1095: Due to unsanitized NUL values, attackers may be able to maliciously set environment variables on Windows. In syscall.StartProcess and os/exec.Cmd, invalid environment variable values containing NUL values are not properly checked for. A malicious environment variable value can exploit this behavior to set a value for a different environment variable. For example, the environment variable string "A=B\x00C=D" sets the variables "A=B" and "C=D".

go1.17.8

Mar 3, 2022 GO-2022-0493GO-2022-1095

GO-2022-0493: When called with a non-zero flags parameter, the Faccessat function can incorrectly report that a file is accessible.

GO-2022-1095: Due to unsanitized NUL values, attackers may be able to maliciously set environment variables on Windows. In syscall.StartProcess and os/exec.Cmd, invalid environment variable values containing NUL values are not properly checked for. A malicious environment variable value can exploit this behavior to set a value for a different environment variable. For example, the environment variable string "A=B\x00C=D" sets the variables "A=B" and "C=D".

go1.17.7

Feb 9, 2022 GO-2022-0493GO-2022-1095

GO-2022-0493: When called with a non-zero flags parameter, the Faccessat function can incorrectly report that a file is accessible.

GO-2022-1095: Due to unsanitized NUL values, attackers may be able to maliciously set environment variables on Windows. In syscall.StartProcess and os/exec.Cmd, invalid environment variable values containing NUL values are not properly checked for. A malicious environment variable value can exploit this behavior to set a value for a different environment variable. For example, the environment variable string "A=B\x00C=D" sets the variables "A=B" and "C=D".

go1.17.6

Jan 6, 2022 GO-2022-0493GO-2022-1095

GO-2022-0493: When called with a non-zero flags parameter, the Faccessat function can incorrectly report that a file is accessible.

GO-2022-1095: Due to unsanitized NUL values, attackers may be able to maliciously set environment variables on Windows. In syscall.StartProcess and os/exec.Cmd, invalid environment variable values containing NUL values are not properly checked for. A malicious environment variable value can exploit this behavior to set a value for a different environment variable. For example, the environment variable string "A=B\x00C=D" sets the variables "A=B" and "C=D".

go1.17.5

Dec 9, 2021 GO-2022-0493GO-2022-1095

GO-2022-0493: When called with a non-zero flags parameter, the Faccessat function can incorrectly report that a file is accessible.

GO-2022-1095: Due to unsanitized NUL values, attackers may be able to maliciously set environment variables on Windows. In syscall.StartProcess and os/exec.Cmd, invalid environment variable values containing NUL values are not properly checked for. A malicious environment variable value can exploit this behavior to set a value for a different environment variable. For example, the environment variable string "A=B\x00C=D" sets the variables "A=B" and "C=D".

go1.17.4

Dec 2, 2021 GO-2022-0289GO-2022-0493GO-2022-1095

GO-2022-0289: When a Go program running on a Unix system is out of file descriptors and calls syscall.ForkExec (including indirectly by using the os/exec package), syscall.ForkExec can close file descriptor 0 as it fails. If this happens (or can be provoked) repeatedly, it can result in misdirected I/O such as writing network traffic intended for one connection to a different connection, or content intended for one file to a different one. For users who cannot immediately update to the new release, the bug can be mitigated by raising the per-process file descriptor limit.

GO-2022-0493: When called with a non-zero flags parameter, the Faccessat function can incorrectly report that a file is accessible.

GO-2022-1095: Due to unsanitized NUL values, attackers may be able to maliciously set environment variables on Windows. In syscall.StartProcess and os/exec.Cmd, invalid environment variable values containing NUL values are not properly checked for. A malicious environment variable value can exploit this behavior to set a value for a different environment variable. For example, the environment variable string "A=B\x00C=D" sets the variables "A=B" and "C=D".

go1.17.3

Nov 4, 2021 GO-2022-0289GO-2022-0493GO-2022-1095

GO-2022-0289: When a Go program running on a Unix system is out of file descriptors and calls syscall.ForkExec (including indirectly by using the os/exec package), syscall.ForkExec can close file descriptor 0 as it fails. If this happens (or can be provoked) repeatedly, it can result in misdirected I/O such as writing network traffic intended for one connection to a different connection, or content intended for one file to a different one. For users who cannot immediately update to the new release, the bug can be mitigated by raising the per-process file descriptor limit.

GO-2022-0493: When called with a non-zero flags parameter, the Faccessat function can incorrectly report that a file is accessible.

GO-2022-1095: Due to unsanitized NUL values, attackers may be able to maliciously set environment variables on Windows. In syscall.StartProcess and os/exec.Cmd, invalid environment variable values containing NUL values are not properly checked for. A malicious environment variable value can exploit this behavior to set a value for a different environment variable. For example, the environment variable string "A=B\x00C=D" sets the variables "A=B" and "C=D".

go1.17.2

Oct 7, 2021 GO-2022-0289GO-2022-0493GO-2022-1095

GO-2022-0289: When a Go program running on a Unix system is out of file descriptors and calls syscall.ForkExec (including indirectly by using the os/exec package), syscall.ForkExec can close file descriptor 0 as it fails. If this happens (or can be provoked) repeatedly, it can result in misdirected I/O such as writing network traffic intended for one connection to a different connection, or content intended for one file to a different one. For users who cannot immediately update to the new release, the bug can be mitigated by raising the per-process file descriptor limit.

GO-2022-0493: When called with a non-zero flags parameter, the Faccessat function can incorrectly report that a file is accessible.

GO-2022-1095: Due to unsanitized NUL values, attackers may be able to maliciously set environment variables on Windows. In syscall.StartProcess and os/exec.Cmd, invalid environment variable values containing NUL values are not properly checked for. A malicious environment variable value can exploit this behavior to set a value for a different environment variable. For example, the environment variable string "A=B\x00C=D" sets the variables "A=B" and "C=D".

go1.17.1

Sep 9, 2021 GO-2022-0289GO-2022-0493GO-2022-1095

GO-2022-0289: When a Go program running on a Unix system is out of file descriptors and calls syscall.ForkExec (including indirectly by using the os/exec package), syscall.ForkExec can close file descriptor 0 as it fails. If this happens (or can be provoked) repeatedly, it can result in misdirected I/O such as writing network traffic intended for one connection to a different connection, or content intended for one file to a different one. For users who cannot immediately update to the new release, the bug can be mitigated by raising the per-process file descriptor limit.

GO-2022-0493: When called with a non-zero flags parameter, the Faccessat function can incorrectly report that a file is accessible.

GO-2022-1095: Due to unsanitized NUL values, attackers may be able to maliciously set environment variables on Windows. In syscall.StartProcess and os/exec.Cmd, invalid environment variable values containing NUL values are not properly checked for. A malicious environment variable value can exploit this behavior to set a value for a different environment variable. For example, the environment variable string "A=B\x00C=D" sets the variables "A=B" and "C=D".

go1.17

Aug 16, 2021 GO-2022-0289GO-2022-0493GO-2022-1095

GO-2022-0289: When a Go program running on a Unix system is out of file descriptors and calls syscall.ForkExec (including indirectly by using the os/exec package), syscall.ForkExec can close file descriptor 0 as it fails. If this happens (or can be provoked) repeatedly, it can result in misdirected I/O such as writing network traffic intended for one connection to a different connection, or content intended for one file to a different one. For users who cannot immediately update to the new release, the bug can be mitigated by raising the per-process file descriptor limit.

GO-2022-0493: When called with a non-zero flags parameter, the Faccessat function can incorrectly report that a file is accessible.

GO-2022-1095: Due to unsanitized NUL values, attackers may be able to maliciously set environment variables on Windows. In syscall.StartProcess and os/exec.Cmd, invalid environment variable values containing NUL values are not properly checked for. A malicious environment variable value can exploit this behavior to set a value for a different environment variable. For example, the environment variable string "A=B\x00C=D" sets the variables "A=B" and "C=D".

Changes in this version

type SysProcAttr — windows/amd64

+ AdditionalInheritedHandles []Handle

+ ParentProcess Handle

go1.17rc2

Aug 2, 2021 GO-2022-0493GO-2022-1095

GO-2022-0493: When called with a non-zero flags parameter, the Faccessat function can incorrectly report that a file is accessible.

GO-2022-1095: Due to unsanitized NUL values, attackers may be able to maliciously set environment variables on Windows. In syscall.StartProcess and os/exec.Cmd, invalid environment variable values containing NUL values are not properly checked for. A malicious environment variable value can exploit this behavior to set a value for a different environment variable. For example, the environment variable string "A=B\x00C=D" sets the variables "A=B" and "C=D".

go1.17rc1

Jul 13, 2021 GO-2022-0493GO-2022-1095

GO-2022-0493: When called with a non-zero flags parameter, the Faccessat function can incorrectly report that a file is accessible.

GO-2022-1095: Due to unsanitized NUL values, attackers may be able to maliciously set environment variables on Windows. In syscall.StartProcess and os/exec.Cmd, invalid environment variable values containing NUL values are not properly checked for. A malicious environment variable value can exploit this behavior to set a value for a different environment variable. For example, the environment variable string "A=B\x00C=D" sets the variables "A=B" and "C=D".

go1.17beta1

Jun 10, 2021 GO-2022-0493GO-2022-1095

GO-2022-0493: When called with a non-zero flags parameter, the Faccessat function can incorrectly report that a file is accessible.

GO-2022-1095: Due to unsanitized NUL values, attackers may be able to maliciously set environment variables on Windows. In syscall.StartProcess and os/exec.Cmd, invalid environment variable values containing NUL values are not properly checked for. A malicious environment variable value can exploit this behavior to set a value for a different environment variable. For example, the environment variable string "A=B\x00C=D" sets the variables "A=B" and "C=D".

go1.16.15

Mar 3, 2022 GO-2022-0493GO-2022-1095

GO-2022-0493: When called with a non-zero flags parameter, the Faccessat function can incorrectly report that a file is accessible.

GO-2022-1095: Due to unsanitized NUL values, attackers may be able to maliciously set environment variables on Windows. In syscall.StartProcess and os/exec.Cmd, invalid environment variable values containing NUL values are not properly checked for. A malicious environment variable value can exploit this behavior to set a value for a different environment variable. For example, the environment variable string "A=B\x00C=D" sets the variables "A=B" and "C=D".

go1.16.14

Feb 9, 2022 GO-2022-0493GO-2022-1095

GO-2022-0493: When called with a non-zero flags parameter, the Faccessat function can incorrectly report that a file is accessible.

GO-2022-1095: Due to unsanitized NUL values, attackers may be able to maliciously set environment variables on Windows. In syscall.StartProcess and os/exec.Cmd, invalid environment variable values containing NUL values are not properly checked for. A malicious environment variable value can exploit this behavior to set a value for a different environment variable. For example, the environment variable string "A=B\x00C=D" sets the variables "A=B" and "C=D".

go1.16.13

Jan 6, 2022 GO-2022-0493GO-2022-1095

GO-2022-0493: When called with a non-zero flags parameter, the Faccessat function can incorrectly report that a file is accessible.

GO-2022-1095: Due to unsanitized NUL values, attackers may be able to maliciously set environment variables on Windows. In syscall.StartProcess and os/exec.Cmd, invalid environment variable values containing NUL values are not properly checked for. A malicious environment variable value can exploit this behavior to set a value for a different environment variable. For example, the environment variable string "A=B\x00C=D" sets the variables "A=B" and "C=D".

go1.16.12

Dec 9, 2021 GO-2022-0493GO-2022-1095

GO-2022-0493: When called with a non-zero flags parameter, the Faccessat function can incorrectly report that a file is accessible.

GO-2022-1095: Due to unsanitized NUL values, attackers may be able to maliciously set environment variables on Windows. In syscall.StartProcess and os/exec.Cmd, invalid environment variable values containing NUL values are not properly checked for. A malicious environment variable value can exploit this behavior to set a value for a different environment variable. For example, the environment variable string "A=B\x00C=D" sets the variables "A=B" and "C=D".

go1.16.11

Dec 2, 2021 GO-2022-0289GO-2022-0493GO-2022-1095

GO-2022-0289: When a Go program running on a Unix system is out of file descriptors and calls syscall.ForkExec (including indirectly by using the os/exec package), syscall.ForkExec can close file descriptor 0 as it fails. If this happens (or can be provoked) repeatedly, it can result in misdirected I/O such as writing network traffic intended for one connection to a different connection, or content intended for one file to a different one. For users who cannot immediately update to the new release, the bug can be mitigated by raising the per-process file descriptor limit.

GO-2022-0493: When called with a non-zero flags parameter, the Faccessat function can incorrectly report that a file is accessible.

GO-2022-1095: Due to unsanitized NUL values, attackers may be able to maliciously set environment variables on Windows. In syscall.StartProcess and os/exec.Cmd, invalid environment variable values containing NUL values are not properly checked for. A malicious environment variable value can exploit this behavior to set a value for a different environment variable. For example, the environment variable string "A=B\x00C=D" sets the variables "A=B" and "C=D".

go1.16.10

Nov 4, 2021 GO-2022-0289GO-2022-0493GO-2022-1095

GO-2022-0289: When a Go program running on a Unix system is out of file descriptors and calls syscall.ForkExec (including indirectly by using the os/exec package), syscall.ForkExec can close file descriptor 0 as it fails. If this happens (or can be provoked) repeatedly, it can result in misdirected I/O such as writing network traffic intended for one connection to a different connection, or content intended for one file to a different one. For users who cannot immediately update to the new release, the bug can be mitigated by raising the per-process file descriptor limit.

GO-2022-0493: When called with a non-zero flags parameter, the Faccessat function can incorrectly report that a file is accessible.

GO-2022-1095: Due to unsanitized NUL values, attackers may be able to maliciously set environment variables on Windows. In syscall.StartProcess and os/exec.Cmd, invalid environment variable values containing NUL values are not properly checked for. A malicious environment variable value can exploit this behavior to set a value for a different environment variable. For example, the environment variable string "A=B\x00C=D" sets the variables "A=B" and "C=D".

go1.16.9

Oct 7, 2021 GO-2022-0289GO-2022-0493GO-2022-1095

GO-2022-0289: When a Go program running on a Unix system is out of file descriptors and calls syscall.ForkExec (including indirectly by using the os/exec package), syscall.ForkExec can close file descriptor 0 as it fails. If this happens (or can be provoked) repeatedly, it can result in misdirected I/O such as writing network traffic intended for one connection to a different connection, or content intended for one file to a different one. For users who cannot immediately update to the new release, the bug can be mitigated by raising the per-process file descriptor limit.

GO-2022-0493: When called with a non-zero flags parameter, the Faccessat function can incorrectly report that a file is accessible.

GO-2022-1095: Due to unsanitized NUL values, attackers may be able to maliciously set environment variables on Windows. In syscall.StartProcess and os/exec.Cmd, invalid environment variable values containing NUL values are not properly checked for. A malicious environment variable value can exploit this behavior to set a value for a different environment variable. For example, the environment variable string "A=B\x00C=D" sets the variables "A=B" and "C=D".

go1.16.8

Sep 9, 2021 GO-2022-0289GO-2022-0493GO-2022-1095

GO-2022-0289: When a Go program running on a Unix system is out of file descriptors and calls syscall.ForkExec (including indirectly by using the os/exec package), syscall.ForkExec can close file descriptor 0 as it fails. If this happens (or can be provoked) repeatedly, it can result in misdirected I/O such as writing network traffic intended for one connection to a different connection, or content intended for one file to a different one. For users who cannot immediately update to the new release, the bug can be mitigated by raising the per-process file descriptor limit.

GO-2022-0493: When called with a non-zero flags parameter, the Faccessat function can incorrectly report that a file is accessible.

GO-2022-1095: Due to unsanitized NUL values, attackers may be able to maliciously set environment variables on Windows. In syscall.StartProcess and os/exec.Cmd, invalid environment variable values containing NUL values are not properly checked for. A malicious environment variable value can exploit this behavior to set a value for a different environment variable. For example, the environment variable string "A=B\x00C=D" sets the variables "A=B" and "C=D".

go1.16.7

Aug 4, 2021 GO-2022-0289GO-2022-0493GO-2022-1095

GO-2022-0289: When a Go program running on a Unix system is out of file descriptors and calls syscall.ForkExec (including indirectly by using the os/exec package), syscall.ForkExec can close file descriptor 0 as it fails. If this happens (or can be provoked) repeatedly, it can result in misdirected I/O such as writing network traffic intended for one connection to a different connection, or content intended for one file to a different one. For users who cannot immediately update to the new release, the bug can be mitigated by raising the per-process file descriptor limit.

GO-2022-0493: When called with a non-zero flags parameter, the Faccessat function can incorrectly report that a file is accessible.

GO-2022-1095: Due to unsanitized NUL values, attackers may be able to maliciously set environment variables on Windows. In syscall.StartProcess and os/exec.Cmd, invalid environment variable values containing NUL values are not properly checked for. A malicious environment variable value can exploit this behavior to set a value for a different environment variable. For example, the environment variable string "A=B\x00C=D" sets the variables "A=B" and "C=D".

go1.16.6

Jul 12, 2021 GO-2022-0289GO-2022-0493GO-2022-1095

GO-2022-0289: When a Go program running on a Unix system is out of file descriptors and calls syscall.ForkExec (including indirectly by using the os/exec package), syscall.ForkExec can close file descriptor 0 as it fails. If this happens (or can be provoked) repeatedly, it can result in misdirected I/O such as writing network traffic intended for one connection to a different connection, or content intended for one file to a different one. For users who cannot immediately update to the new release, the bug can be mitigated by raising the per-process file descriptor limit.

GO-2022-0493: When called with a non-zero flags parameter, the Faccessat function can incorrectly report that a file is accessible.

GO-2022-1095: Due to unsanitized NUL values, attackers may be able to maliciously set environment variables on Windows. In syscall.StartProcess and os/exec.Cmd, invalid environment variable values containing NUL values are not properly checked for. A malicious environment variable value can exploit this behavior to set a value for a different environment variable. For example, the environment variable string "A=B\x00C=D" sets the variables "A=B" and "C=D".

go1.16.5

Jun 3, 2021 GO-2022-0289GO-2022-0493GO-2022-1095

GO-2022-0289: When a Go program running on a Unix system is out of file descriptors and calls syscall.ForkExec (including indirectly by using the os/exec package), syscall.ForkExec can close file descriptor 0 as it fails. If this happens (or can be provoked) repeatedly, it can result in misdirected I/O such as writing network traffic intended for one connection to a different connection, or content intended for one file to a different one. For users who cannot immediately update to the new release, the bug can be mitigated by raising the per-process file descriptor limit.

GO-2022-0493: When called with a non-zero flags parameter, the Faccessat function can incorrectly report that a file is accessible.

GO-2022-1095: Due to unsanitized NUL values, attackers may be able to maliciously set environment variables on Windows. In syscall.StartProcess and os/exec.Cmd, invalid environment variable values containing NUL values are not properly checked for. A malicious environment variable value can exploit this behavior to set a value for a different environment variable. For example, the environment variable string "A=B\x00C=D" sets the variables "A=B" and "C=D".

go1.16.4

May 6, 2021 GO-2022-0289GO-2022-0493GO-2022-1095

GO-2022-0289: When a Go program running on a Unix system is out of file descriptors and calls syscall.ForkExec (including indirectly by using the os/exec package), syscall.ForkExec can close file descriptor 0 as it fails. If this happens (or can be provoked) repeatedly, it can result in misdirected I/O such as writing network traffic intended for one connection to a different connection, or content intended for one file to a different one. For users who cannot immediately update to the new release, the bug can be mitigated by raising the per-process file descriptor limit.

GO-2022-0493: When called with a non-zero flags parameter, the Faccessat function can incorrectly report that a file is accessible.

GO-2022-1095: Due to unsanitized NUL values, attackers may be able to maliciously set environment variables on Windows. In syscall.StartProcess and os/exec.Cmd, invalid environment variable values containing NUL values are not properly checked for. A malicious environment variable value can exploit this behavior to set a value for a different environment variable. For example, the environment variable string "A=B\x00C=D" sets the variables "A=B" and "C=D".

go1.16.3

Apr 1, 2021 GO-2022-0289GO-2022-0493GO-2022-1095

GO-2022-0289: When a Go program running on a Unix system is out of file descriptors and calls syscall.ForkExec (including indirectly by using the os/exec package), syscall.ForkExec can close file descriptor 0 as it fails. If this happens (or can be provoked) repeatedly, it can result in misdirected I/O such as writing network traffic intended for one connection to a different connection, or content intended for one file to a different one. For users who cannot immediately update to the new release, the bug can be mitigated by raising the per-process file descriptor limit.

GO-2022-0493: When called with a non-zero flags parameter, the Faccessat function can incorrectly report that a file is accessible.

GO-2022-1095: Due to unsanitized NUL values, attackers may be able to maliciously set environment variables on Windows. In syscall.StartProcess and os/exec.Cmd, invalid environment variable values containing NUL values are not properly checked for. A malicious environment variable value can exploit this behavior to set a value for a different environment variable. For example, the environment variable string "A=B\x00C=D" sets the variables "A=B" and "C=D".

go1.16.2

Mar 11, 2021 GO-2022-0289GO-2022-0493GO-2022-1095

GO-2022-0289: When a Go program running on a Unix system is out of file descriptors and calls syscall.ForkExec (including indirectly by using the os/exec package), syscall.ForkExec can close file descriptor 0 as it fails. If this happens (or can be provoked) repeatedly, it can result in misdirected I/O such as writing network traffic intended for one connection to a different connection, or content intended for one file to a different one. For users who cannot immediately update to the new release, the bug can be mitigated by raising the per-process file descriptor limit.

GO-2022-0493: When called with a non-zero flags parameter, the Faccessat function can incorrectly report that a file is accessible.

GO-2022-1095: Due to unsanitized NUL values, attackers may be able to maliciously set environment variables on Windows. In syscall.StartProcess and os/exec.Cmd, invalid environment variable values containing NUL values are not properly checked for. A malicious environment variable value can exploit this behavior to set a value for a different environment variable. For example, the environment variable string "A=B\x00C=D" sets the variables "A=B" and "C=D".

go1.16.1

Mar 10, 2021 GO-2022-0289GO-2022-0493GO-2022-1095

GO-2022-0289: When a Go program running on a Unix system is out of file descriptors and calls syscall.ForkExec (including indirectly by using the os/exec package), syscall.ForkExec can close file descriptor 0 as it fails. If this happens (or can be provoked) repeatedly, it can result in misdirected I/O such as writing network traffic intended for one connection to a different connection, or content intended for one file to a different one. For users who cannot immediately update to the new release, the bug can be mitigated by raising the per-process file descriptor limit.

GO-2022-0493: When called with a non-zero flags parameter, the Faccessat function can incorrectly report that a file is accessible.

GO-2022-1095: Due to unsanitized NUL values, attackers may be able to maliciously set environment variables on Windows. In syscall.StartProcess and os/exec.Cmd, invalid environment variable values containing NUL values are not properly checked for. A malicious environment variable value can exploit this behavior to set a value for a different environment variable. For example, the environment variable string "A=B\x00C=D" sets the variables "A=B" and "C=D".

go1.16

Feb 16, 2021 GO-2022-0289GO-2022-0493GO-2022-1095

GO-2022-0289: When a Go program running on a Unix system is out of file descriptors and calls syscall.ForkExec (including indirectly by using the os/exec package), syscall.ForkExec can close file descriptor 0 as it fails. If this happens (or can be provoked) repeatedly, it can result in misdirected I/O such as writing network traffic intended for one connection to a different connection, or content intended for one file to a different one. For users who cannot immediately update to the new release, the bug can be mitigated by raising the per-process file descriptor limit.

GO-2022-0493: When called with a non-zero flags parameter, the Faccessat function can incorrectly report that a file is accessible.

GO-2022-1095: Due to unsanitized NUL values, attackers may be able to maliciously set environment variables on Windows. In syscall.StartProcess and os/exec.Cmd, invalid environment variable values containing NUL values are not properly checked for. A malicious environment variable value can exploit this behavior to set a value for a different environment variable. For example, the environment variable string "A=B\x00C=D" sets the variables "A=B" and "C=D".

Changes in this version

+ func Setegid(egid int) (err error) — linux/amd64

+ func Seteuid(euid int) (err error) — linux/amd64

type DLLError — windows/amd64

+ func (e *DLLError) Unwrap() error

type Errno — linux/amd64

+ func AllThreadsSyscall(trap, a1, a2, a3 uintptr) (r1, r2 uintptr, err Errno)

+ func AllThreadsSyscall6(trap, a1, a2, a3, a4, a5, a6 uintptr) (r1, r2 uintptr, err Errno)

type SysProcAttr — windows/amd64

+ NoInheritHandles bool

go1.16rc1

Jan 27, 2021 GO-2022-0289GO-2022-0493GO-2022-1095

GO-2022-0289: When a Go program running on a Unix system is out of file descriptors and calls syscall.ForkExec (including indirectly by using the os/exec package), syscall.ForkExec can close file descriptor 0 as it fails. If this happens (or can be provoked) repeatedly, it can result in misdirected I/O such as writing network traffic intended for one connection to a different connection, or content intended for one file to a different one. For users who cannot immediately update to the new release, the bug can be mitigated by raising the per-process file descriptor limit.

GO-2022-0493: When called with a non-zero flags parameter, the Faccessat function can incorrectly report that a file is accessible.

GO-2022-1095: Due to unsanitized NUL values, attackers may be able to maliciously set environment variables on Windows. In syscall.StartProcess and os/exec.Cmd, invalid environment variable values containing NUL values are not properly checked for. A malicious environment variable value can exploit this behavior to set a value for a different environment variable. For example, the environment variable string "A=B\x00C=D" sets the variables "A=B" and "C=D".

go1.16beta1

Dec 17, 2020 GO-2022-0289GO-2022-0493GO-2022-1095

GO-2022-0289: When a Go program running on a Unix system is out of file descriptors and calls syscall.ForkExec (including indirectly by using the os/exec package), syscall.ForkExec can close file descriptor 0 as it fails. If this happens (or can be provoked) repeatedly, it can result in misdirected I/O such as writing network traffic intended for one connection to a different connection, or content intended for one file to a different one. For users who cannot immediately update to the new release, the bug can be mitigated by raising the per-process file descriptor limit.

GO-2022-0493: When called with a non-zero flags parameter, the Faccessat function can incorrectly report that a file is accessible.

GO-2022-1095: Due to unsanitized NUL values, attackers may be able to maliciously set environment variables on Windows. In syscall.StartProcess and os/exec.Cmd, invalid environment variable values containing NUL values are not properly checked for. A malicious environment variable value can exploit this behavior to set a value for a different environment variable. For example, the environment variable string "A=B\x00C=D" sets the variables "A=B" and "C=D".

go1.15.15

Aug 4, 2021 GO-2022-0289GO-2022-0493GO-2022-1095

GO-2022-0289: When a Go program running on a Unix system is out of file descriptors and calls syscall.ForkExec (including indirectly by using the os/exec package), syscall.ForkExec can close file descriptor 0 as it fails. If this happens (or can be provoked) repeatedly, it can result in misdirected I/O such as writing network traffic intended for one connection to a different connection, or content intended for one file to a different one. For users who cannot immediately update to the new release, the bug can be mitigated by raising the per-process file descriptor limit.

GO-2022-0493: When called with a non-zero flags parameter, the Faccessat function can incorrectly report that a file is accessible.

GO-2022-1095: Due to unsanitized NUL values, attackers may be able to maliciously set environment variables on Windows. In syscall.StartProcess and os/exec.Cmd, invalid environment variable values containing NUL values are not properly checked for. A malicious environment variable value can exploit this behavior to set a value for a different environment variable. For example, the environment variable string "A=B\x00C=D" sets the variables "A=B" and "C=D".

go1.15.14

Jul 12, 2021 GO-2022-0289GO-2022-0493GO-2022-1095

GO-2022-0289: When a Go program running on a Unix system is out of file descriptors and calls syscall.ForkExec (including indirectly by using the os/exec package), syscall.ForkExec can close file descriptor 0 as it fails. If this happens (or can be provoked) repeatedly, it can result in misdirected I/O such as writing network traffic intended for one connection to a different connection, or content intended for one file to a different one. For users who cannot immediately update to the new release, the bug can be mitigated by raising the per-process file descriptor limit.

GO-2022-0493: When called with a non-zero flags parameter, the Faccessat function can incorrectly report that a file is accessible.

GO-2022-1095: Due to unsanitized NUL values, attackers may be able to maliciously set environment variables on Windows. In syscall.StartProcess and os/exec.Cmd, invalid environment variable values containing NUL values are not properly checked for. A malicious environment variable value can exploit this behavior to set a value for a different environment variable. For example, the environment variable string "A=B\x00C=D" sets the variables "A=B" and "C=D".

go1.15.13

Jun 3, 2021 GO-2022-0289GO-2022-0493GO-2022-1095

GO-2022-0289: When a Go program running on a Unix system is out of file descriptors and calls syscall.ForkExec (including indirectly by using the os/exec package), syscall.ForkExec can close file descriptor 0 as it fails. If this happens (or can be provoked) repeatedly, it can result in misdirected I/O such as writing network traffic intended for one connection to a different connection, or content intended for one file to a different one. For users who cannot immediately update to the new release, the bug can be mitigated by raising the per-process file descriptor limit.

GO-2022-0493: When called with a non-zero flags parameter, the Faccessat function can incorrectly report that a file is accessible.

GO-2022-1095: Due to unsanitized NUL values, attackers may be able to maliciously set environment variables on Windows. In syscall.StartProcess and os/exec.Cmd, invalid environment variable values containing NUL values are not properly checked for. A malicious environment variable value can exploit this behavior to set a value for a different environment variable. For example, the environment variable string "A=B\x00C=D" sets the variables "A=B" and "C=D".

go1.15.12

May 6, 2021 GO-2022-0289GO-2022-0493GO-2022-1095

GO-2022-0289: When a Go program running on a Unix system is out of file descriptors and calls syscall.ForkExec (including indirectly by using the os/exec package), syscall.ForkExec can close file descriptor 0 as it fails. If this happens (or can be provoked) repeatedly, it can result in misdirected I/O such as writing network traffic intended for one connection to a different connection, or content intended for one file to a different one. For users who cannot immediately update to the new release, the bug can be mitigated by raising the per-process file descriptor limit.

GO-2022-0493: When called with a non-zero flags parameter, the Faccessat function can incorrectly report that a file is accessible.

GO-2022-1095: Due to unsanitized NUL values, attackers may be able to maliciously set environment variables on Windows. In syscall.StartProcess and os/exec.Cmd, invalid environment variable values containing NUL values are not properly checked for. A malicious environment variable value can exploit this behavior to set a value for a different environment variable. For example, the environment variable string "A=B\x00C=D" sets the variables "A=B" and "C=D".

go1.15.11

Apr 1, 2021 GO-2022-0289GO-2022-0493GO-2022-1095

GO-2022-0289: When a Go program running on a Unix system is out of file descriptors and calls syscall.ForkExec (including indirectly by using the os/exec package), syscall.ForkExec can close file descriptor 0 as it fails. If this happens (or can be provoked) repeatedly, it can result in misdirected I/O such as writing network traffic intended for one connection to a different connection, or content intended for one file to a different one. For users who cannot immediately update to the new release, the bug can be mitigated by raising the per-process file descriptor limit.

GO-2022-0493: When called with a non-zero flags parameter, the Faccessat function can incorrectly report that a file is accessible.

GO-2022-1095: Due to unsanitized NUL values, attackers may be able to maliciously set environment variables on Windows. In syscall.StartProcess and os/exec.Cmd, invalid environment variable values containing NUL values are not properly checked for. A malicious environment variable value can exploit this behavior to set a value for a different environment variable. For example, the environment variable string "A=B\x00C=D" sets the variables "A=B" and "C=D".

go1.15.10

Mar 11, 2021 GO-2022-0289GO-2022-0493GO-2022-1095

GO-2022-0289: When a Go program running on a Unix system is out of file descriptors and calls syscall.ForkExec (including indirectly by using the os/exec package), syscall.ForkExec can close file descriptor 0 as it fails. If this happens (or can be provoked) repeatedly, it can result in misdirected I/O such as writing network traffic intended for one connection to a different connection, or content intended for one file to a different one. For users who cannot immediately update to the new release, the bug can be mitigated by raising the per-process file descriptor limit.

GO-2022-0493: When called with a non-zero flags parameter, the Faccessat function can incorrectly report that a file is accessible.

GO-2022-1095: Due to unsanitized NUL values, attackers may be able to maliciously set environment variables on Windows. In syscall.StartProcess and os/exec.Cmd, invalid environment variable values containing NUL values are not properly checked for. A malicious environment variable value can exploit this behavior to set a value for a different environment variable. For example, the environment variable string "A=B\x00C=D" sets the variables "A=B" and "C=D".

go1.15.9

Mar 10, 2021 GO-2022-0289GO-2022-0493GO-2022-1095

GO-2022-0289: When a Go program running on a Unix system is out of file descriptors and calls syscall.ForkExec (including indirectly by using the os/exec package), syscall.ForkExec can close file descriptor 0 as it fails. If this happens (or can be provoked) repeatedly, it can result in misdirected I/O such as writing network traffic intended for one connection to a different connection, or content intended for one file to a different one. For users who cannot immediately update to the new release, the bug can be mitigated by raising the per-process file descriptor limit.

GO-2022-0493: When called with a non-zero flags parameter, the Faccessat function can incorrectly report that a file is accessible.

GO-2022-1095: Due to unsanitized NUL values, attackers may be able to maliciously set environment variables on Windows. In syscall.StartProcess and os/exec.Cmd, invalid environment variable values containing NUL values are not properly checked for. A malicious environment variable value can exploit this behavior to set a value for a different environment variable. For example, the environment variable string "A=B\x00C=D" sets the variables "A=B" and "C=D".

go1.15.8

Feb 4, 2021 GO-2022-0289GO-2022-0493GO-2022-1095

GO-2022-0289: When a Go program running on a Unix system is out of file descriptors and calls syscall.ForkExec (including indirectly by using the os/exec package), syscall.ForkExec can close file descriptor 0 as it fails. If this happens (or can be provoked) repeatedly, it can result in misdirected I/O such as writing network traffic intended for one connection to a different connection, or content intended for one file to a different one. For users who cannot immediately update to the new release, the bug can be mitigated by raising the per-process file descriptor limit.

GO-2022-0493: When called with a non-zero flags parameter, the Faccessat function can incorrectly report that a file is accessible.

GO-2022-1095: Due to unsanitized NUL values, attackers may be able to maliciously set environment variables on Windows. In syscall.StartProcess and os/exec.Cmd, invalid environment variable values containing NUL values are not properly checked for. A malicious environment variable value can exploit this behavior to set a value for a different environment variable. For example, the environment variable string "A=B\x00C=D" sets the variables "A=B" and "C=D".

go1.15.7

Jan 19, 2021 GO-2022-0289GO-2022-0493GO-2022-1095

GO-2022-0289: When a Go program running on a Unix system is out of file descriptors and calls syscall.ForkExec (including indirectly by using the os/exec package), syscall.ForkExec can close file descriptor 0 as it fails. If this happens (or can be provoked) repeatedly, it can result in misdirected I/O such as writing network traffic intended for one connection to a different connection, or content intended for one file to a different one. For users who cannot immediately update to the new release, the bug can be mitigated by raising the per-process file descriptor limit.

GO-2022-0493: When called with a non-zero flags parameter, the Faccessat function can incorrectly report that a file is accessible.

GO-2022-1095: Due to unsanitized NUL values, attackers may be able to maliciously set environment variables on Windows. In syscall.StartProcess and os/exec.Cmd, invalid environment variable values containing NUL values are not properly checked for. A malicious environment variable value can exploit this behavior to set a value for a different environment variable. For example, the environment variable string "A=B\x00C=D" sets the variables "A=B" and "C=D".

go1.15.6

Dec 3, 2020 GO-2022-0289GO-2022-0493GO-2022-1095

GO-2022-0289: When a Go program running on a Unix system is out of file descriptors and calls syscall.ForkExec (including indirectly by using the os/exec package), syscall.ForkExec can close file descriptor 0 as it fails. If this happens (or can be provoked) repeatedly, it can result in misdirected I/O such as writing network traffic intended for one connection to a different connection, or content intended for one file to a different one. For users who cannot immediately update to the new release, the bug can be mitigated by raising the per-process file descriptor limit.

GO-2022-0493: When called with a non-zero flags parameter, the Faccessat function can incorrectly report that a file is accessible.

GO-2022-1095: Due to unsanitized NUL values, attackers may be able to maliciously set environment variables on Windows. In syscall.StartProcess and os/exec.Cmd, invalid environment variable values containing NUL values are not properly checked for. A malicious environment variable value can exploit this behavior to set a value for a different environment variable. For example, the environment variable string "A=B\x00C=D" sets the variables "A=B" and "C=D".

go1.15.5

Nov 12, 2020 GO-2022-0289GO-2022-0493GO-2022-1095

GO-2022-0289: When a Go program running on a Unix system is out of file descriptors and calls syscall.ForkExec (including indirectly by using the os/exec package), syscall.ForkExec can close file descriptor 0 as it fails. If this happens (or can be provoked) repeatedly, it can result in misdirected I/O such as writing network traffic intended for one connection to a different connection, or content intended for one file to a different one. For users who cannot immediately update to the new release, the bug can be mitigated by raising the per-process file descriptor limit.

GO-2022-0493: When called with a non-zero flags parameter, the Faccessat function can incorrectly report that a file is accessible.

GO-2022-1095: Due to unsanitized NUL values, attackers may be able to maliciously set environment variables on Windows. In syscall.StartProcess and os/exec.Cmd, invalid environment variable values containing NUL values are not properly checked for. A malicious environment variable value can exploit this behavior to set a value for a different environment variable. For example, the environment variable string "A=B\x00C=D" sets the variables "A=B" and "C=D".

go1.15.4

Nov 5, 2020 GO-2022-0289GO-2022-0493GO-2022-1095

GO-2022-0289: When a Go program running on a Unix system is out of file descriptors and calls syscall.ForkExec (including indirectly by using the os/exec package), syscall.ForkExec can close file descriptor 0 as it fails. If this happens (or can be provoked) repeatedly, it can result in misdirected I/O such as writing network traffic intended for one connection to a different connection, or content intended for one file to a different one. For users who cannot immediately update to the new release, the bug can be mitigated by raising the per-process file descriptor limit.

GO-2022-0493: When called with a non-zero flags parameter, the Faccessat function can incorrectly report that a file is accessible.

GO-2022-1095: Due to unsanitized NUL values, attackers may be able to maliciously set environment variables on Windows. In syscall.StartProcess and os/exec.Cmd, invalid environment variable values containing NUL values are not properly checked for. A malicious environment variable value can exploit this behavior to set a value for a different environment variable. For example, the environment variable string "A=B\x00C=D" sets the variables "A=B" and "C=D".

go1.15.3

Oct 14, 2020 GO-2022-0289GO-2022-0493GO-2022-1095

GO-2022-0289: When a Go program running on a Unix system is out of file descriptors and calls syscall.ForkExec (including indirectly by using the os/exec package), syscall.ForkExec can close file descriptor 0 as it fails. If this happens (or can be provoked) repeatedly, it can result in misdirected I/O such as writing network traffic intended for one connection to a different connection, or content intended for one file to a different one. For users who cannot immediately update to the new release, the bug can be mitigated by raising the per-process file descriptor limit.

GO-2022-0493: When called with a non-zero flags parameter, the Faccessat function can incorrectly report that a file is accessible.

GO-2022-1095: Due to unsanitized NUL values, attackers may be able to maliciously set environment variables on Windows. In syscall.StartProcess and os/exec.Cmd, invalid environment variable values containing NUL values are not properly checked for. A malicious environment variable value can exploit this behavior to set a value for a different environment variable. For example, the environment variable string "A=B\x00C=D" sets the variables "A=B" and "C=D".

go1.15.2

Sep 9, 2020 GO-2022-0289GO-2022-0493GO-2022-1095

GO-2022-0289: When a Go program running on a Unix system is out of file descriptors and calls syscall.ForkExec (including indirectly by using the os/exec package), syscall.ForkExec can close file descriptor 0 as it fails. If this happens (or can be provoked) repeatedly, it can result in misdirected I/O such as writing network traffic intended for one connection to a different connection, or content intended for one file to a different one. For users who cannot immediately update to the new release, the bug can be mitigated by raising the per-process file descriptor limit.

GO-2022-0493: When called with a non-zero flags parameter, the Faccessat function can incorrectly report that a file is accessible.

GO-2022-1095: Due to unsanitized NUL values, attackers may be able to maliciously set environment variables on Windows. In syscall.StartProcess and os/exec.Cmd, invalid environment variable values containing NUL values are not properly checked for. A malicious environment variable value can exploit this behavior to set a value for a different environment variable. For example, the environment variable string "A=B\x00C=D" sets the variables "A=B" and "C=D".

go1.15.1

Sep 1, 2020 GO-2022-0289GO-2022-0493GO-2022-1095

GO-2022-0289: When a Go program running on a Unix system is out of file descriptors and calls syscall.ForkExec (including indirectly by using the os/exec package), syscall.ForkExec can close file descriptor 0 as it fails. If this happens (or can be provoked) repeatedly, it can result in misdirected I/O such as writing network traffic intended for one connection to a different connection, or content intended for one file to a different one. For users who cannot immediately update to the new release, the bug can be mitigated by raising the per-process file descriptor limit.

GO-2022-0493: When called with a non-zero flags parameter, the Faccessat function can incorrectly report that a file is accessible.

GO-2022-1095: Due to unsanitized NUL values, attackers may be able to maliciously set environment variables on Windows. In syscall.StartProcess and os/exec.Cmd, invalid environment variable values containing NUL values are not properly checked for. A malicious environment variable value can exploit this behavior to set a value for a different environment variable. For example, the environment variable string "A=B\x00C=D" sets the variables "A=B" and "C=D".

go1.15

Aug 11, 2020 GO-2022-0289GO-2022-0493GO-2022-1095

GO-2022-0289: When a Go program running on a Unix system is out of file descriptors and calls syscall.ForkExec (including indirectly by using the os/exec package), syscall.ForkExec can close file descriptor 0 as it fails. If this happens (or can be provoked) repeatedly, it can result in misdirected I/O such as writing network traffic intended for one connection to a different connection, or content intended for one file to a different one. For users who cannot immediately update to the new release, the bug can be mitigated by raising the per-process file descriptor limit.

GO-2022-0493: When called with a non-zero flags parameter, the Faccessat function can incorrectly report that a file is accessible.

GO-2022-1095: Due to unsanitized NUL values, attackers may be able to maliciously set environment variables on Windows. In syscall.StartProcess and os/exec.Cmd, invalid environment variable values containing NUL values are not properly checked for. A malicious environment variable value can exploit this behavior to set a value for a different environment variable. For example, the environment variable string "A=B\x00C=D" sets the variables "A=B" and "C=D".

go1.15rc2

Aug 7, 2020 GO-2022-0289GO-2022-0493GO-2022-1095

GO-2022-0289: When a Go program running on a Unix system is out of file descriptors and calls syscall.ForkExec (including indirectly by using the os/exec package), syscall.ForkExec can close file descriptor 0 as it fails. If this happens (or can be provoked) repeatedly, it can result in misdirected I/O such as writing network traffic intended for one connection to a different connection, or content intended for one file to a different one. For users who cannot immediately update to the new release, the bug can be mitigated by raising the per-process file descriptor limit.

GO-2022-0493: When called with a non-zero flags parameter, the Faccessat function can incorrectly report that a file is accessible.

GO-2022-1095: Due to unsanitized NUL values, attackers may be able to maliciously set environment variables on Windows. In syscall.StartProcess and os/exec.Cmd, invalid environment variable values containing NUL values are not properly checked for. A malicious environment variable value can exploit this behavior to set a value for a different environment variable. For example, the environment variable string "A=B\x00C=D" sets the variables "A=B" and "C=D".

go1.15rc1

Jul 24, 2020 GO-2022-0289GO-2022-0493GO-2022-1095

GO-2022-0289: When a Go program running on a Unix system is out of file descriptors and calls syscall.ForkExec (including indirectly by using the os/exec package), syscall.ForkExec can close file descriptor 0 as it fails. If this happens (or can be provoked) repeatedly, it can result in misdirected I/O such as writing network traffic intended for one connection to a different connection, or content intended for one file to a different one. For users who cannot immediately update to the new release, the bug can be mitigated by raising the per-process file descriptor limit.

GO-2022-0493: When called with a non-zero flags parameter, the Faccessat function can incorrectly report that a file is accessible.

GO-2022-1095: Due to unsanitized NUL values, attackers may be able to maliciously set environment variables on Windows. In syscall.StartProcess and os/exec.Cmd, invalid environment variable values containing NUL values are not properly checked for. A malicious environment variable value can exploit this behavior to set a value for a different environment variable. For example, the environment variable string "A=B\x00C=D" sets the variables "A=B" and "C=D".

go1.15beta1

Jun 10, 2020 GO-2022-0289GO-2022-0493GO-2022-1095

GO-2022-0289: When a Go program running on a Unix system is out of file descriptors and calls syscall.ForkExec (including indirectly by using the os/exec package), syscall.ForkExec can close file descriptor 0 as it fails. If this happens (or can be provoked) repeatedly, it can result in misdirected I/O such as writing network traffic intended for one connection to a different connection, or content intended for one file to a different one. For users who cannot immediately update to the new release, the bug can be mitigated by raising the per-process file descriptor limit.

GO-2022-0493: When called with a non-zero flags parameter, the Faccessat function can incorrectly report that a file is accessible.

GO-2022-1095: Due to unsanitized NUL values, attackers may be able to maliciously set environment variables on Windows. In syscall.StartProcess and os/exec.Cmd, invalid environment variable values containing NUL values are not properly checked for. A malicious environment variable value can exploit this behavior to set a value for a different environment variable. For example, the environment variable string "A=B\x00C=D" sets the variables "A=B" and "C=D".

go1.14.15

Feb 4, 2021 GO-2022-0289GO-2022-0493GO-2022-1095

GO-2022-0289: When a Go program running on a Unix system is out of file descriptors and calls syscall.ForkExec (including indirectly by using the os/exec package), syscall.ForkExec can close file descriptor 0 as it fails. If this happens (or can be provoked) repeatedly, it can result in misdirected I/O such as writing network traffic intended for one connection to a different connection, or content intended for one file to a different one. For users who cannot immediately update to the new release, the bug can be mitigated by raising the per-process file descriptor limit.

GO-2022-0493: When called with a non-zero flags parameter, the Faccessat function can incorrectly report that a file is accessible.

GO-2022-1095: Due to unsanitized NUL values, attackers may be able to maliciously set environment variables on Windows. In syscall.StartProcess and os/exec.Cmd, invalid environment variable values containing NUL values are not properly checked for. A malicious environment variable value can exploit this behavior to set a value for a different environment variable. For example, the environment variable string "A=B\x00C=D" sets the variables "A=B" and "C=D".

go1.14.14

Jan 19, 2021 GO-2022-0289GO-2022-0493GO-2022-1095

GO-2022-0289: When a Go program running on a Unix system is out of file descriptors and calls syscall.ForkExec (including indirectly by using the os/exec package), syscall.ForkExec can close file descriptor 0 as it fails. If this happens (or can be provoked) repeatedly, it can result in misdirected I/O such as writing network traffic intended for one connection to a different connection, or content intended for one file to a different one. For users who cannot immediately update to the new release, the bug can be mitigated by raising the per-process file descriptor limit.

GO-2022-0493: When called with a non-zero flags parameter, the Faccessat function can incorrectly report that a file is accessible.

GO-2022-1095: Due to unsanitized NUL values, attackers may be able to maliciously set environment variables on Windows. In syscall.StartProcess and os/exec.Cmd, invalid environment variable values containing NUL values are not properly checked for. A malicious environment variable value can exploit this behavior to set a value for a different environment variable. For example, the environment variable string "A=B\x00C=D" sets the variables "A=B" and "C=D".

go1.14.13

Dec 3, 2020 GO-2022-0289GO-2022-0493GO-2022-1095

GO-2022-0289: When a Go program running on a Unix system is out of file descriptors and calls syscall.ForkExec (including indirectly by using the os/exec package), syscall.ForkExec can close file descriptor 0 as it fails. If this happens (or can be provoked) repeatedly, it can result in misdirected I/O such as writing network traffic intended for one connection to a different connection, or content intended for one file to a different one. For users who cannot immediately update to the new release, the bug can be mitigated by raising the per-process file descriptor limit.

GO-2022-0493: When called with a non-zero flags parameter, the Faccessat function can incorrectly report that a file is accessible.

GO-2022-1095: Due to unsanitized NUL values, attackers may be able to maliciously set environment variables on Windows. In syscall.StartProcess and os/exec.Cmd, invalid environment variable values containing NUL values are not properly checked for. A malicious environment variable value can exploit this behavior to set a value for a different environment variable. For example, the environment variable string "A=B\x00C=D" sets the variables "A=B" and "C=D".

go1.14.12

Nov 12, 2020 GO-2022-0289GO-2022-0493GO-2022-1095

GO-2022-0289: When a Go program running on a Unix system is out of file descriptors and calls syscall.ForkExec (including indirectly by using the os/exec package), syscall.ForkExec can close file descriptor 0 as it fails. If this happens (or can be provoked) repeatedly, it can result in misdirected I/O such as writing network traffic intended for one connection to a different connection, or content intended for one file to a different one. For users who cannot immediately update to the new release, the bug can be mitigated by raising the per-process file descriptor limit.

GO-2022-0493: When called with a non-zero flags parameter, the Faccessat function can incorrectly report that a file is accessible.

GO-2022-1095: Due to unsanitized NUL values, attackers may be able to maliciously set environment variables on Windows. In syscall.StartProcess and os/exec.Cmd, invalid environment variable values containing NUL values are not properly checked for. A malicious environment variable value can exploit this behavior to set a value for a different environment variable. For example, the environment variable string "A=B\x00C=D" sets the variables "A=B" and "C=D".

go1.14.11

Nov 5, 2020 GO-2022-0289GO-2022-0493GO-2022-1095

GO-2022-0289: When a Go program running on a Unix system is out of file descriptors and calls syscall.ForkExec (including indirectly by using the os/exec package), syscall.ForkExec can close file descriptor 0 as it fails. If this happens (or can be provoked) repeatedly, it can result in misdirected I/O such as writing network traffic intended for one connection to a different connection, or content intended for one file to a different one. For users who cannot immediately update to the new release, the bug can be mitigated by raising the per-process file descriptor limit.

GO-2022-0493: When called with a non-zero flags parameter, the Faccessat function can incorrectly report that a file is accessible.

GO-2022-1095: Due to unsanitized NUL values, attackers may be able to maliciously set environment variables on Windows. In syscall.StartProcess and os/exec.Cmd, invalid environment variable values containing NUL values are not properly checked for. A malicious environment variable value can exploit this behavior to set a value for a different environment variable. For example, the environment variable string "A=B\x00C=D" sets the variables "A=B" and "C=D".

go1.14.10

Oct 14, 2020 GO-2022-0289GO-2022-0493GO-2022-1095

GO-2022-0289: When a Go program running on a Unix system is out of file descriptors and calls syscall.ForkExec (including indirectly by using the os/exec package), syscall.ForkExec can close file descriptor 0 as it fails. If this happens (or can be provoked) repeatedly, it can result in misdirected I/O such as writing network traffic intended for one connection to a different connection, or content intended for one file to a different one. For users who cannot immediately update to the new release, the bug can be mitigated by raising the per-process file descriptor limit.

GO-2022-0493: When called with a non-zero flags parameter, the Faccessat function can incorrectly report that a file is accessible.

GO-2022-1095: Due to unsanitized NUL values, attackers may be able to maliciously set environment variables on Windows. In syscall.StartProcess and os/exec.Cmd, invalid environment variable values containing NUL values are not properly checked for. A malicious environment variable value can exploit this behavior to set a value for a different environment variable. For example, the environment variable string "A=B\x00C=D" sets the variables "A=B" and "C=D".

go1.14.9

Sep 9, 2020 GO-2022-0289GO-2022-0493GO-2022-1095

GO-2022-0289: When a Go program running on a Unix system is out of file descriptors and calls syscall.ForkExec (including indirectly by using the os/exec package), syscall.ForkExec can close file descriptor 0 as it fails. If this happens (or can be provoked) repeatedly, it can result in misdirected I/O such as writing network traffic intended for one connection to a different connection, or content intended for one file to a different one. For users who cannot immediately update to the new release, the bug can be mitigated by raising the per-process file descriptor limit.

GO-2022-0493: When called with a non-zero flags parameter, the Faccessat function can incorrectly report that a file is accessible.

GO-2022-1095: Due to unsanitized NUL values, attackers may be able to maliciously set environment variables on Windows. In syscall.StartProcess and os/exec.Cmd, invalid environment variable values containing NUL values are not properly checked for. A malicious environment variable value can exploit this behavior to set a value for a different environment variable. For example, the environment variable string "A=B\x00C=D" sets the variables "A=B" and "C=D".

go1.14.8

Sep 1, 2020 GO-2022-0289GO-2022-0493GO-2022-1095

GO-2022-0289: When a Go program running on a Unix system is out of file descriptors and calls syscall.ForkExec (including indirectly by using the os/exec package), syscall.ForkExec can close file descriptor 0 as it fails. If this happens (or can be provoked) repeatedly, it can result in misdirected I/O such as writing network traffic intended for one connection to a different connection, or content intended for one file to a different one. For users who cannot immediately update to the new release, the bug can be mitigated by raising the per-process file descriptor limit.

GO-2022-0493: When called with a non-zero flags parameter, the Faccessat function can incorrectly report that a file is accessible.

GO-2022-1095: Due to unsanitized NUL values, attackers may be able to maliciously set environment variables on Windows. In syscall.StartProcess and os/exec.Cmd, invalid environment variable values containing NUL values are not properly checked for. A malicious environment variable value can exploit this behavior to set a value for a different environment variable. For example, the environment variable string "A=B\x00C=D" sets the variables "A=B" and "C=D".

go1.14.7

Aug 6, 2020 GO-2022-0289GO-2022-0493GO-2022-1095

GO-2022-0289: When a Go program running on a Unix system is out of file descriptors and calls syscall.ForkExec (including indirectly by using the os/exec package), syscall.ForkExec can close file descriptor 0 as it fails. If this happens (or can be provoked) repeatedly, it can result in misdirected I/O such as writing network traffic intended for one connection to a different connection, or content intended for one file to a different one. For users who cannot immediately update to the new release, the bug can be mitigated by raising the per-process file descriptor limit.

GO-2022-0493: When called with a non-zero flags parameter, the Faccessat function can incorrectly report that a file is accessible.

GO-2022-1095: Due to unsanitized NUL values, attackers may be able to maliciously set environment variables on Windows. In syscall.StartProcess and os/exec.Cmd, invalid environment variable values containing NUL values are not properly checked for. A malicious environment variable value can exploit this behavior to set a value for a different environment variable. For example, the environment variable string "A=B\x00C=D" sets the variables "A=B" and "C=D".

go1.14.6

Jul 16, 2020 GO-2022-0289GO-2022-0493GO-2022-1095

GO-2022-0289: When a Go program running on a Unix system is out of file descriptors and calls syscall.ForkExec (including indirectly by using the os/exec package), syscall.ForkExec can close file descriptor 0 as it fails. If this happens (or can be provoked) repeatedly, it can result in misdirected I/O such as writing network traffic intended for one connection to a different connection, or content intended for one file to a different one. For users who cannot immediately update to the new release, the bug can be mitigated by raising the per-process file descriptor limit.

GO-2022-0493: When called with a non-zero flags parameter, the Faccessat function can incorrectly report that a file is accessible.

GO-2022-1095: Due to unsanitized NUL values, attackers may be able to maliciously set environment variables on Windows. In syscall.StartProcess and os/exec.Cmd, invalid environment variable values containing NUL values are not properly checked for. A malicious environment variable value can exploit this behavior to set a value for a different environment variable. For example, the environment variable string "A=B\x00C=D" sets the variables "A=B" and "C=D".

go1.14.5

Jul 14, 2020 GO-2022-0289GO-2022-0493GO-2022-1095

GO-2022-0289: When a Go program running on a Unix system is out of file descriptors and calls syscall.ForkExec (including indirectly by using the os/exec package), syscall.ForkExec can close file descriptor 0 as it fails. If this happens (or can be provoked) repeatedly, it can result in misdirected I/O such as writing network traffic intended for one connection to a different connection, or content intended for one file to a different one. For users who cannot immediately update to the new release, the bug can be mitigated by raising the per-process file descriptor limit.

GO-2022-0493: When called with a non-zero flags parameter, the Faccessat function can incorrectly report that a file is accessible.

GO-2022-1095: Due to unsanitized NUL values, attackers may be able to maliciously set environment variables on Windows. In syscall.StartProcess and os/exec.Cmd, invalid environment variable values containing NUL values are not properly checked for. A malicious environment variable value can exploit this behavior to set a value for a different environment variable. For example, the environment variable string "A=B\x00C=D" sets the variables "A=B" and "C=D".

go1.14.4

Jun 1, 2020 GO-2022-0289GO-2022-0493GO-2022-1095

GO-2022-0289: When a Go program running on a Unix system is out of file descriptors and calls syscall.ForkExec (including indirectly by using the os/exec package), syscall.ForkExec can close file descriptor 0 as it fails. If this happens (or can be provoked) repeatedly, it can result in misdirected I/O such as writing network traffic intended for one connection to a different connection, or content intended for one file to a different one. For users who cannot immediately update to the new release, the bug can be mitigated by raising the per-process file descriptor limit.

GO-2022-0493: When called with a non-zero flags parameter, the Faccessat function can incorrectly report that a file is accessible.

GO-2022-1095: Due to unsanitized NUL values, attackers may be able to maliciously set environment variables on Windows. In syscall.StartProcess and os/exec.Cmd, invalid environment variable values containing NUL values are not properly checked for. A malicious environment variable value can exploit this behavior to set a value for a different environment variable. For example, the environment variable string "A=B\x00C=D" sets the variables "A=B" and "C=D".

go1.14.3

May 14, 2020 GO-2022-0289GO-2022-0493GO-2022-1095

GO-2022-0289: When a Go program running on a Unix system is out of file descriptors and calls syscall.ForkExec (including indirectly by using the os/exec package), syscall.ForkExec can close file descriptor 0 as it fails. If this happens (or can be provoked) repeatedly, it can result in misdirected I/O such as writing network traffic intended for one connection to a different connection, or content intended for one file to a different one. For users who cannot immediately update to the new release, the bug can be mitigated by raising the per-process file descriptor limit.

GO-2022-0493: When called with a non-zero flags parameter, the Faccessat function can incorrectly report that a file is accessible.

GO-2022-1095: Due to unsanitized NUL values, attackers may be able to maliciously set environment variables on Windows. In syscall.StartProcess and os/exec.Cmd, invalid environment variable values containing NUL values are not properly checked for. A malicious environment variable value can exploit this behavior to set a value for a different environment variable. For example, the environment variable string "A=B\x00C=D" sets the variables "A=B" and "C=D".

go1.14.2

Apr 8, 2020 GO-2022-0289GO-2022-0493GO-2022-1095

GO-2022-0289: When a Go program running on a Unix system is out of file descriptors and calls syscall.ForkExec (including indirectly by using the os/exec package), syscall.ForkExec can close file descriptor 0 as it fails. If this happens (or can be provoked) repeatedly, it can result in misdirected I/O such as writing network traffic intended for one connection to a different connection, or content intended for one file to a different one. For users who cannot immediately update to the new release, the bug can be mitigated by raising the per-process file descriptor limit.

GO-2022-0493: When called with a non-zero flags parameter, the Faccessat function can incorrectly report that a file is accessible.

GO-2022-1095: Due to unsanitized NUL values, attackers may be able to maliciously set environment variables on Windows. In syscall.StartProcess and os/exec.Cmd, invalid environment variable values containing NUL values are not properly checked for. A malicious environment variable value can exploit this behavior to set a value for a different environment variable. For example, the environment variable string "A=B\x00C=D" sets the variables "A=B" and "C=D".

go1.14.1

Mar 19, 2020 GO-2022-0289GO-2022-0493GO-2022-1095

GO-2022-0289: When a Go program running on a Unix system is out of file descriptors and calls syscall.ForkExec (including indirectly by using the os/exec package), syscall.ForkExec can close file descriptor 0 as it fails. If this happens (or can be provoked) repeatedly, it can result in misdirected I/O such as writing network traffic intended for one connection to a different connection, or content intended for one file to a different one. For users who cannot immediately update to the new release, the bug can be mitigated by raising the per-process file descriptor limit.

GO-2022-0493: When called with a non-zero flags parameter, the Faccessat function can incorrectly report that a file is accessible.

GO-2022-1095: Due to unsanitized NUL values, attackers may be able to maliciously set environment variables on Windows. In syscall.StartProcess and os/exec.Cmd, invalid environment variable values containing NUL values are not properly checked for. A malicious environment variable value can exploit this behavior to set a value for a different environment variable. For example, the environment variable string "A=B\x00C=D" sets the variables "A=B" and "C=D".

go1.14

Feb 25, 2020 GO-2022-0289GO-2022-0493GO-2022-1095

GO-2022-0289: When a Go program running on a Unix system is out of file descriptors and calls syscall.ForkExec (including indirectly by using the os/exec package), syscall.ForkExec can close file descriptor 0 as it fails. If this happens (or can be provoked) repeatedly, it can result in misdirected I/O such as writing network traffic intended for one connection to a different connection, or content intended for one file to a different one. For users who cannot immediately update to the new release, the bug can be mitigated by raising the per-process file descriptor limit.

GO-2022-0493: When called with a non-zero flags parameter, the Faccessat function can incorrectly report that a file is accessible.

GO-2022-1095: Due to unsanitized NUL values, attackers may be able to maliciously set environment variables on Windows. In syscall.StartProcess and os/exec.Cmd, invalid environment variable values containing NUL values are not properly checked for. A malicious environment variable value can exploit this behavior to set a value for a different environment variable. For example, the environment variable string "A=B\x00C=D" sets the variables "A=B" and "C=D".

Changes in this version

+ const CTRL_CLOSE_EVENT — windows/amd64

+ const CTRL_LOGOFF_EVENT — windows/amd64

+ const CTRL_SHUTDOWN_EVENT — windows/amd64

go1.14rc1

Feb 5, 2020 GO-2022-0289GO-2022-0493GO-2022-1095

GO-2022-0289: When a Go program running on a Unix system is out of file descriptors and calls syscall.ForkExec (including indirectly by using the os/exec package), syscall.ForkExec can close file descriptor 0 as it fails. If this happens (or can be provoked) repeatedly, it can result in misdirected I/O such as writing network traffic intended for one connection to a different connection, or content intended for one file to a different one. For users who cannot immediately update to the new release, the bug can be mitigated by raising the per-process file descriptor limit.

GO-2022-0493: When called with a non-zero flags parameter, the Faccessat function can incorrectly report that a file is accessible.

GO-2022-1095: Due to unsanitized NUL values, attackers may be able to maliciously set environment variables on Windows. In syscall.StartProcess and os/exec.Cmd, invalid environment variable values containing NUL values are not properly checked for. A malicious environment variable value can exploit this behavior to set a value for a different environment variable. For example, the environment variable string "A=B\x00C=D" sets the variables "A=B" and "C=D".

go1.14beta1

Dec 17, 2019 GO-2022-0289GO-2022-0493GO-2022-1095

GO-2022-0289: When a Go program running on a Unix system is out of file descriptors and calls syscall.ForkExec (including indirectly by using the os/exec package), syscall.ForkExec can close file descriptor 0 as it fails. If this happens (or can be provoked) repeatedly, it can result in misdirected I/O such as writing network traffic intended for one connection to a different connection, or content intended for one file to a different one. For users who cannot immediately update to the new release, the bug can be mitigated by raising the per-process file descriptor limit.

GO-2022-0493: When called with a non-zero flags parameter, the Faccessat function can incorrectly report that a file is accessible.

GO-2022-1095: Due to unsanitized NUL values, attackers may be able to maliciously set environment variables on Windows. In syscall.StartProcess and os/exec.Cmd, invalid environment variable values containing NUL values are not properly checked for. A malicious environment variable value can exploit this behavior to set a value for a different environment variable. For example, the environment variable string "A=B\x00C=D" sets the variables "A=B" and "C=D".

go1.13.15

Aug 6, 2020 GO-2022-0289GO-2022-0493GO-2022-1095

GO-2022-0289: When a Go program running on a Unix system is out of file descriptors and calls syscall.ForkExec (including indirectly by using the os/exec package), syscall.ForkExec can close file descriptor 0 as it fails. If this happens (or can be provoked) repeatedly, it can result in misdirected I/O such as writing network traffic intended for one connection to a different connection, or content intended for one file to a different one. For users who cannot immediately update to the new release, the bug can be mitigated by raising the per-process file descriptor limit.

GO-2022-0493: When called with a non-zero flags parameter, the Faccessat function can incorrectly report that a file is accessible.

GO-2022-1095: Due to unsanitized NUL values, attackers may be able to maliciously set environment variables on Windows. In syscall.StartProcess and os/exec.Cmd, invalid environment variable values containing NUL values are not properly checked for. A malicious environment variable value can exploit this behavior to set a value for a different environment variable. For example, the environment variable string "A=B\x00C=D" sets the variables "A=B" and "C=D".

go1.13.14

Jul 16, 2020 GO-2022-0289GO-2022-0493GO-2022-1095

GO-2022-0289: When a Go program running on a Unix system is out of file descriptors and calls syscall.ForkExec (including indirectly by using the os/exec package), syscall.ForkExec can close file descriptor 0 as it fails. If this happens (or can be provoked) repeatedly, it can result in misdirected I/O such as writing network traffic intended for one connection to a different connection, or content intended for one file to a different one. For users who cannot immediately update to the new release, the bug can be mitigated by raising the per-process file descriptor limit.

GO-2022-0493: When called with a non-zero flags parameter, the Faccessat function can incorrectly report that a file is accessible.

GO-2022-1095: Due to unsanitized NUL values, attackers may be able to maliciously set environment variables on Windows. In syscall.StartProcess and os/exec.Cmd, invalid environment variable values containing NUL values are not properly checked for. A malicious environment variable value can exploit this behavior to set a value for a different environment variable. For example, the environment variable string "A=B\x00C=D" sets the variables "A=B" and "C=D".

go1.13.13

Jul 14, 2020 GO-2022-0289GO-2022-0493GO-2022-1095

GO-2022-0289: When a Go program running on a Unix system is out of file descriptors and calls syscall.ForkExec (including indirectly by using the os/exec package), syscall.ForkExec can close file descriptor 0 as it fails. If this happens (or can be provoked) repeatedly, it can result in misdirected I/O such as writing network traffic intended for one connection to a different connection, or content intended for one file to a different one. For users who cannot immediately update to the new release, the bug can be mitigated by raising the per-process file descriptor limit.

GO-2022-0493: When called with a non-zero flags parameter, the Faccessat function can incorrectly report that a file is accessible.

GO-2022-1095: Due to unsanitized NUL values, attackers may be able to maliciously set environment variables on Windows. In syscall.StartProcess and os/exec.Cmd, invalid environment variable values containing NUL values are not properly checked for. A malicious environment variable value can exploit this behavior to set a value for a different environment variable. For example, the environment variable string "A=B\x00C=D" sets the variables "A=B" and "C=D".

go1.13.12

Jun 1, 2020 GO-2022-0289GO-2022-0493GO-2022-1095

GO-2022-0289: When a Go program running on a Unix system is out of file descriptors and calls syscall.ForkExec (including indirectly by using the os/exec package), syscall.ForkExec can close file descriptor 0 as it fails. If this happens (or can be provoked) repeatedly, it can result in misdirected I/O such as writing network traffic intended for one connection to a different connection, or content intended for one file to a different one. For users who cannot immediately update to the new release, the bug can be mitigated by raising the per-process file descriptor limit.

GO-2022-0493: When called with a non-zero flags parameter, the Faccessat function can incorrectly report that a file is accessible.

GO-2022-1095: Due to unsanitized NUL values, attackers may be able to maliciously set environment variables on Windows. In syscall.StartProcess and os/exec.Cmd, invalid environment variable values containing NUL values are not properly checked for. A malicious environment variable value can exploit this behavior to set a value for a different environment variable. For example, the environment variable string "A=B\x00C=D" sets the variables "A=B" and "C=D".

go1.13.11

May 14, 2020 GO-2022-0289GO-2022-0493GO-2022-1095

GO-2022-0289: When a Go program running on a Unix system is out of file descriptors and calls syscall.ForkExec (including indirectly by using the os/exec package), syscall.ForkExec can close file descriptor 0 as it fails. If this happens (or can be provoked) repeatedly, it can result in misdirected I/O such as writing network traffic intended for one connection to a different connection, or content intended for one file to a different one. For users who cannot immediately update to the new release, the bug can be mitigated by raising the per-process file descriptor limit.

GO-2022-0493: When called with a non-zero flags parameter, the Faccessat function can incorrectly report that a file is accessible.

GO-2022-1095: Due to unsanitized NUL values, attackers may be able to maliciously set environment variables on Windows. In syscall.StartProcess and os/exec.Cmd, invalid environment variable values containing NUL values are not properly checked for. A malicious environment variable value can exploit this behavior to set a value for a different environment variable. For example, the environment variable string "A=B\x00C=D" sets the variables "A=B" and "C=D".

go1.13.10

Apr 8, 2020 GO-2022-0289GO-2022-0493GO-2022-1095

GO-2022-0289: When a Go program running on a Unix system is out of file descriptors and calls syscall.ForkExec (including indirectly by using the os/exec package), syscall.ForkExec can close file descriptor 0 as it fails. If this happens (or can be provoked) repeatedly, it can result in misdirected I/O such as writing network traffic intended for one connection to a different connection, or content intended for one file to a different one. For users who cannot immediately update to the new release, the bug can be mitigated by raising the per-process file descriptor limit.

GO-2022-0493: When called with a non-zero flags parameter, the Faccessat function can incorrectly report that a file is accessible.

GO-2022-1095: Due to unsanitized NUL values, attackers may be able to maliciously set environment variables on Windows. In syscall.StartProcess and os/exec.Cmd, invalid environment variable values containing NUL values are not properly checked for. A malicious environment variable value can exploit this behavior to set a value for a different environment variable. For example, the environment variable string "A=B\x00C=D" sets the variables "A=B" and "C=D".

go1.13.9

Mar 19, 2020 GO-2022-0289GO-2022-0493GO-2022-1095

GO-2022-0289: When a Go program running on a Unix system is out of file descriptors and calls syscall.ForkExec (including indirectly by using the os/exec package), syscall.ForkExec can close file descriptor 0 as it fails. If this happens (or can be provoked) repeatedly, it can result in misdirected I/O such as writing network traffic intended for one connection to a different connection, or content intended for one file to a different one. For users who cannot immediately update to the new release, the bug can be mitigated by raising the per-process file descriptor limit.

GO-2022-0493: When called with a non-zero flags parameter, the Faccessat function can incorrectly report that a file is accessible.

GO-2022-1095: Due to unsanitized NUL values, attackers may be able to maliciously set environment variables on Windows. In syscall.StartProcess and os/exec.Cmd, invalid environment variable values containing NUL values are not properly checked for. A malicious environment variable value can exploit this behavior to set a value for a different environment variable. For example, the environment variable string "A=B\x00C=D" sets the variables "A=B" and "C=D".

go1.13.8

Feb 12, 2020 GO-2022-0289GO-2022-0493GO-2022-1095

GO-2022-0289: When a Go program running on a Unix system is out of file descriptors and calls syscall.ForkExec (including indirectly by using the os/exec package), syscall.ForkExec can close file descriptor 0 as it fails. If this happens (or can be provoked) repeatedly, it can result in misdirected I/O such as writing network traffic intended for one connection to a different connection, or content intended for one file to a different one. For users who cannot immediately update to the new release, the bug can be mitigated by raising the per-process file descriptor limit.

GO-2022-0493: When called with a non-zero flags parameter, the Faccessat function can incorrectly report that a file is accessible.

GO-2022-1095: Due to unsanitized NUL values, attackers may be able to maliciously set environment variables on Windows. In syscall.StartProcess and os/exec.Cmd, invalid environment variable values containing NUL values are not properly checked for. A malicious environment variable value can exploit this behavior to set a value for a different environment variable. For example, the environment variable string "A=B\x00C=D" sets the variables "A=B" and "C=D".

go1.13.7

Jan 27, 2020 GO-2022-0289GO-2022-0493GO-2022-1095

GO-2022-0289: When a Go program running on a Unix system is out of file descriptors and calls syscall.ForkExec (including indirectly by using the os/exec package), syscall.ForkExec can close file descriptor 0 as it fails. If this happens (or can be provoked) repeatedly, it can result in misdirected I/O such as writing network traffic intended for one connection to a different connection, or content intended for one file to a different one. For users who cannot immediately update to the new release, the bug can be mitigated by raising the per-process file descriptor limit.

GO-2022-0493: When called with a non-zero flags parameter, the Faccessat function can incorrectly report that a file is accessible.

GO-2022-1095: Due to unsanitized NUL values, attackers may be able to maliciously set environment variables on Windows. In syscall.StartProcess and os/exec.Cmd, invalid environment variable values containing NUL values are not properly checked for. A malicious environment variable value can exploit this behavior to set a value for a different environment variable. For example, the environment variable string "A=B\x00C=D" sets the variables "A=B" and "C=D".

go1.13.6

Jan 9, 2020 GO-2022-0289GO-2022-0493GO-2022-1095

GO-2022-0289: When a Go program running on a Unix system is out of file descriptors and calls syscall.ForkExec (including indirectly by using the os/exec package), syscall.ForkExec can close file descriptor 0 as it fails. If this happens (or can be provoked) repeatedly, it can result in misdirected I/O such as writing network traffic intended for one connection to a different connection, or content intended for one file to a different one. For users who cannot immediately update to the new release, the bug can be mitigated by raising the per-process file descriptor limit.

GO-2022-0493: When called with a non-zero flags parameter, the Faccessat function can incorrectly report that a file is accessible.

GO-2022-1095: Due to unsanitized NUL values, attackers may be able to maliciously set environment variables on Windows. In syscall.StartProcess and os/exec.Cmd, invalid environment variable values containing NUL values are not properly checked for. A malicious environment variable value can exploit this behavior to set a value for a different environment variable. For example, the environment variable string "A=B\x00C=D" sets the variables "A=B" and "C=D".

go1.13.5

Dec 4, 2019 GO-2022-0289GO-2022-0493GO-2022-1095

GO-2022-0289: When a Go program running on a Unix system is out of file descriptors and calls syscall.ForkExec (including indirectly by using the os/exec package), syscall.ForkExec can close file descriptor 0 as it fails. If this happens (or can be provoked) repeatedly, it can result in misdirected I/O such as writing network traffic intended for one connection to a different connection, or content intended for one file to a different one. For users who cannot immediately update to the new release, the bug can be mitigated by raising the per-process file descriptor limit.

GO-2022-0493: When called with a non-zero flags parameter, the Faccessat function can incorrectly report that a file is accessible.

GO-2022-1095: Due to unsanitized NUL values, attackers may be able to maliciously set environment variables on Windows. In syscall.StartProcess and os/exec.Cmd, invalid environment variable values containing NUL values are not properly checked for. A malicious environment variable value can exploit this behavior to set a value for a different environment variable. For example, the environment variable string "A=B\x00C=D" sets the variables "A=B" and "C=D".

go1.13.4

Oct 31, 2019 GO-2022-0289GO-2022-0493GO-2022-1095

GO-2022-0289: When a Go program running on a Unix system is out of file descriptors and calls syscall.ForkExec (including indirectly by using the os/exec package), syscall.ForkExec can close file descriptor 0 as it fails. If this happens (or can be provoked) repeatedly, it can result in misdirected I/O such as writing network traffic intended for one connection to a different connection, or content intended for one file to a different one. For users who cannot immediately update to the new release, the bug can be mitigated by raising the per-process file descriptor limit.

GO-2022-0493: When called with a non-zero flags parameter, the Faccessat function can incorrectly report that a file is accessible.

GO-2022-1095: Due to unsanitized NUL values, attackers may be able to maliciously set environment variables on Windows. In syscall.StartProcess and os/exec.Cmd, invalid environment variable values containing NUL values are not properly checked for. A malicious environment variable value can exploit this behavior to set a value for a different environment variable. For example, the environment variable string "A=B\x00C=D" sets the variables "A=B" and "C=D".

go1.13.3

Oct 17, 2019 GO-2022-0289GO-2022-0493GO-2022-1095

GO-2022-0289: When a Go program running on a Unix system is out of file descriptors and calls syscall.ForkExec (including indirectly by using the os/exec package), syscall.ForkExec can close file descriptor 0 as it fails. If this happens (or can be provoked) repeatedly, it can result in misdirected I/O such as writing network traffic intended for one connection to a different connection, or content intended for one file to a different one. For users who cannot immediately update to the new release, the bug can be mitigated by raising the per-process file descriptor limit.

GO-2022-0493: When called with a non-zero flags parameter, the Faccessat function can incorrectly report that a file is accessible.

GO-2022-1095: Due to unsanitized NUL values, attackers may be able to maliciously set environment variables on Windows. In syscall.StartProcess and os/exec.Cmd, invalid environment variable values containing NUL values are not properly checked for. A malicious environment variable value can exploit this behavior to set a value for a different environment variable. For example, the environment variable string "A=B\x00C=D" sets the variables "A=B" and "C=D".

go1.13.2

Oct 17, 2019 GO-2022-0289GO-2022-0493GO-2022-1095

GO-2022-0289: When a Go program running on a Unix system is out of file descriptors and calls syscall.ForkExec (including indirectly by using the os/exec package), syscall.ForkExec can close file descriptor 0 as it fails. If this happens (or can be provoked) repeatedly, it can result in misdirected I/O such as writing network traffic intended for one connection to a different connection, or content intended for one file to a different one. For users who cannot immediately update to the new release, the bug can be mitigated by raising the per-process file descriptor limit.

GO-2022-0493: When called with a non-zero flags parameter, the Faccessat function can incorrectly report that a file is accessible.

GO-2022-1095: Due to unsanitized NUL values, attackers may be able to maliciously set environment variables on Windows. In syscall.StartProcess and os/exec.Cmd, invalid environment variable values containing NUL values are not properly checked for. A malicious environment variable value can exploit this behavior to set a value for a different environment variable. For example, the environment variable string "A=B\x00C=D" sets the variables "A=B" and "C=D".

go1.13.1

Sep 25, 2019 GO-2022-0289GO-2022-0493GO-2022-1095

GO-2022-0289: When a Go program running on a Unix system is out of file descriptors and calls syscall.ForkExec (including indirectly by using the os/exec package), syscall.ForkExec can close file descriptor 0 as it fails. If this happens (or can be provoked) repeatedly, it can result in misdirected I/O such as writing network traffic intended for one connection to a different connection, or content intended for one file to a different one. For users who cannot immediately update to the new release, the bug can be mitigated by raising the per-process file descriptor limit.

GO-2022-0493: When called with a non-zero flags parameter, the Faccessat function can incorrectly report that a file is accessible.

GO-2022-1095: Due to unsanitized NUL values, attackers may be able to maliciously set environment variables on Windows. In syscall.StartProcess and os/exec.Cmd, invalid environment variable values containing NUL values are not properly checked for. A malicious environment variable value can exploit this behavior to set a value for a different environment variable. For example, the environment variable string "A=B\x00C=D" sets the variables "A=B" and "C=D".

go1.13

Sep 3, 2019 GO-2022-0289GO-2022-0493GO-2022-1095

GO-2022-0289: When a Go program running on a Unix system is out of file descriptors and calls syscall.ForkExec (including indirectly by using the os/exec package), syscall.ForkExec can close file descriptor 0 as it fails. If this happens (or can be provoked) repeatedly, it can result in misdirected I/O such as writing network traffic intended for one connection to a different connection, or content intended for one file to a different one. For users who cannot immediately update to the new release, the bug can be mitigated by raising the per-process file descriptor limit.

GO-2022-0493: When called with a non-zero flags parameter, the Faccessat function can incorrectly report that a file is accessible.

GO-2022-1095: Due to unsanitized NUL values, attackers may be able to maliciously set environment variables on Windows. In syscall.StartProcess and os/exec.Cmd, invalid environment variable values containing NUL values are not properly checked for. A malicious environment variable value can exploit this behavior to set a value for a different environment variable. For example, the environment variable string "A=B\x00C=D" sets the variables "A=B" and "C=D".

Changes in this version

+ func Umask(mask int) (oldmask int) — js/wasm

type Errno

+ func (e Errno) Is(target error) bool

type SysProcAttr — windows/amd64

+ ProcessAttributes *SecurityAttributes

+ ThreadAttributes *SecurityAttributes

go1.13rc2

Aug 29, 2019 GO-2022-0289GO-2022-0493GO-2022-1095

GO-2022-0289: When a Go program running on a Unix system is out of file descriptors and calls syscall.ForkExec (including indirectly by using the os/exec package), syscall.ForkExec can close file descriptor 0 as it fails. If this happens (or can be provoked) repeatedly, it can result in misdirected I/O such as writing network traffic intended for one connection to a different connection, or content intended for one file to a different one. For users who cannot immediately update to the new release, the bug can be mitigated by raising the per-process file descriptor limit.

GO-2022-0493: When called with a non-zero flags parameter, the Faccessat function can incorrectly report that a file is accessible.

GO-2022-1095: Due to unsanitized NUL values, attackers may be able to maliciously set environment variables on Windows. In syscall.StartProcess and os/exec.Cmd, invalid environment variable values containing NUL values are not properly checked for. A malicious environment variable value can exploit this behavior to set a value for a different environment variable. For example, the environment variable string "A=B\x00C=D" sets the variables "A=B" and "C=D".

go1.13rc1

Aug 21, 2019 GO-2022-0289GO-2022-0493GO-2022-1095

GO-2022-0289: When a Go program running on a Unix system is out of file descriptors and calls syscall.ForkExec (including indirectly by using the os/exec package), syscall.ForkExec can close file descriptor 0 as it fails. If this happens (or can be provoked) repeatedly, it can result in misdirected I/O such as writing network traffic intended for one connection to a different connection, or content intended for one file to a different one. For users who cannot immediately update to the new release, the bug can be mitigated by raising the per-process file descriptor limit.

GO-2022-0493: When called with a non-zero flags parameter, the Faccessat function can incorrectly report that a file is accessible.

GO-2022-1095: Due to unsanitized NUL values, attackers may be able to maliciously set environment variables on Windows. In syscall.StartProcess and os/exec.Cmd, invalid environment variable values containing NUL values are not properly checked for. A malicious environment variable value can exploit this behavior to set a value for a different environment variable. For example, the environment variable string "A=B\x00C=D" sets the variables "A=B" and "C=D".

go1.13beta1

Jun 26, 2019 GO-2022-0289GO-2022-0493GO-2022-1095

GO-2022-0289: When a Go program running on a Unix system is out of file descriptors and calls syscall.ForkExec (including indirectly by using the os/exec package), syscall.ForkExec can close file descriptor 0 as it fails. If this happens (or can be provoked) repeatedly, it can result in misdirected I/O such as writing network traffic intended for one connection to a different connection, or content intended for one file to a different one. For users who cannot immediately update to the new release, the bug can be mitigated by raising the per-process file descriptor limit.

GO-2022-0493: When called with a non-zero flags parameter, the Faccessat function can incorrectly report that a file is accessible.

GO-2022-1095: Due to unsanitized NUL values, attackers may be able to maliciously set environment variables on Windows. In syscall.StartProcess and os/exec.Cmd, invalid environment variable values containing NUL values are not properly checked for. A malicious environment variable value can exploit this behavior to set a value for a different environment variable. For example, the environment variable string "A=B\x00C=D" sets the variables "A=B" and "C=D".

go1.12.17

Feb 12, 2020 GO-2022-0289GO-2022-0493GO-2022-1095

GO-2022-0289: When a Go program running on a Unix system is out of file descriptors and calls syscall.ForkExec (including indirectly by using the os/exec package), syscall.ForkExec can close file descriptor 0 as it fails. If this happens (or can be provoked) repeatedly, it can result in misdirected I/O such as writing network traffic intended for one connection to a different connection, or content intended for one file to a different one. For users who cannot immediately update to the new release, the bug can be mitigated by raising the per-process file descriptor limit.

GO-2022-0493: When called with a non-zero flags parameter, the Faccessat function can incorrectly report that a file is accessible.

GO-2022-1095: Due to unsanitized NUL values, attackers may be able to maliciously set environment variables on Windows. In syscall.StartProcess and os/exec.Cmd, invalid environment variable values containing NUL values are not properly checked for. A malicious environment variable value can exploit this behavior to set a value for a different environment variable. For example, the environment variable string "A=B\x00C=D" sets the variables "A=B" and "C=D".

go1.12.16

Jan 27, 2020 GO-2022-0289GO-2022-0493GO-2022-1095

GO-2022-0289: When a Go program running on a Unix system is out of file descriptors and calls syscall.ForkExec (including indirectly by using the os/exec package), syscall.ForkExec can close file descriptor 0 as it fails. If this happens (or can be provoked) repeatedly, it can result in misdirected I/O such as writing network traffic intended for one connection to a different connection, or content intended for one file to a different one. For users who cannot immediately update to the new release, the bug can be mitigated by raising the per-process file descriptor limit.

GO-2022-0493: When called with a non-zero flags parameter, the Faccessat function can incorrectly report that a file is accessible.

GO-2022-1095: Due to unsanitized NUL values, attackers may be able to maliciously set environment variables on Windows. In syscall.StartProcess and os/exec.Cmd, invalid environment variable values containing NUL values are not properly checked for. A malicious environment variable value can exploit this behavior to set a value for a different environment variable. For example, the environment variable string "A=B\x00C=D" sets the variables "A=B" and "C=D".

go1.12.15

Jan 9, 2020 GO-2022-0289GO-2022-0493GO-2022-1095

GO-2022-0289: When a Go program running on a Unix system is out of file descriptors and calls syscall.ForkExec (including indirectly by using the os/exec package), syscall.ForkExec can close file descriptor 0 as it fails. If this happens (or can be provoked) repeatedly, it can result in misdirected I/O such as writing network traffic intended for one connection to a different connection, or content intended for one file to a different one. For users who cannot immediately update to the new release, the bug can be mitigated by raising the per-process file descriptor limit.

GO-2022-0493: When called with a non-zero flags parameter, the Faccessat function can incorrectly report that a file is accessible.

GO-2022-1095: Due to unsanitized NUL values, attackers may be able to maliciously set environment variables on Windows. In syscall.StartProcess and os/exec.Cmd, invalid environment variable values containing NUL values are not properly checked for. A malicious environment variable value can exploit this behavior to set a value for a different environment variable. For example, the environment variable string "A=B\x00C=D" sets the variables "A=B" and "C=D".

go1.12.14

Dec 4, 2019 GO-2022-0289GO-2022-0493GO-2022-1095

GO-2022-0289: When a Go program running on a Unix system is out of file descriptors and calls syscall.ForkExec (including indirectly by using the os/exec package), syscall.ForkExec can close file descriptor 0 as it fails. If this happens (or can be provoked) repeatedly, it can result in misdirected I/O such as writing network traffic intended for one connection to a different connection, or content intended for one file to a different one. For users who cannot immediately update to the new release, the bug can be mitigated by raising the per-process file descriptor limit.

GO-2022-0493: When called with a non-zero flags parameter, the Faccessat function can incorrectly report that a file is accessible.

GO-2022-1095: Due to unsanitized NUL values, attackers may be able to maliciously set environment variables on Windows. In syscall.StartProcess and os/exec.Cmd, invalid environment variable values containing NUL values are not properly checked for. A malicious environment variable value can exploit this behavior to set a value for a different environment variable. For example, the environment variable string "A=B\x00C=D" sets the variables "A=B" and "C=D".

go1.12.13

Oct 31, 2019 GO-2022-0289GO-2022-0493GO-2022-1095

GO-2022-0289: When a Go program running on a Unix system is out of file descriptors and calls syscall.ForkExec (including indirectly by using the os/exec package), syscall.ForkExec can close file descriptor 0 as it fails. If this happens (or can be provoked) repeatedly, it can result in misdirected I/O such as writing network traffic intended for one connection to a different connection, or content intended for one file to a different one. For users who cannot immediately update to the new release, the bug can be mitigated by raising the per-process file descriptor limit.

GO-2022-0493: When called with a non-zero flags parameter, the Faccessat function can incorrectly report that a file is accessible.

GO-2022-1095: Due to unsanitized NUL values, attackers may be able to maliciously set environment variables on Windows. In syscall.StartProcess and os/exec.Cmd, invalid environment variable values containing NUL values are not properly checked for. A malicious environment variable value can exploit this behavior to set a value for a different environment variable. For example, the environment variable string "A=B\x00C=D" sets the variables "A=B" and "C=D".

go1.12.12

Oct 17, 2019 GO-2022-0289GO-2022-0493GO-2022-1095

GO-2022-0289: When a Go program running on a Unix system is out of file descriptors and calls syscall.ForkExec (including indirectly by using the os/exec package), syscall.ForkExec can close file descriptor 0 as it fails. If this happens (or can be provoked) repeatedly, it can result in misdirected I/O such as writing network traffic intended for one connection to a different connection, or content intended for one file to a different one. For users who cannot immediately update to the new release, the bug can be mitigated by raising the per-process file descriptor limit.

GO-2022-0493: When called with a non-zero flags parameter, the Faccessat function can incorrectly report that a file is accessible.

GO-2022-1095: Due to unsanitized NUL values, attackers may be able to maliciously set environment variables on Windows. In syscall.StartProcess and os/exec.Cmd, invalid environment variable values containing NUL values are not properly checked for. A malicious environment variable value can exploit this behavior to set a value for a different environment variable. For example, the environment variable string "A=B\x00C=D" sets the variables "A=B" and "C=D".

go1.12.11

Oct 17, 2019 GO-2022-0289GO-2022-0493GO-2022-1095

GO-2022-0289: When a Go program running on a Unix system is out of file descriptors and calls syscall.ForkExec (including indirectly by using the os/exec package), syscall.ForkExec can close file descriptor 0 as it fails. If this happens (or can be provoked) repeatedly, it can result in misdirected I/O such as writing network traffic intended for one connection to a different connection, or content intended for one file to a different one. For users who cannot immediately update to the new release, the bug can be mitigated by raising the per-process file descriptor limit.

GO-2022-0493: When called with a non-zero flags parameter, the Faccessat function can incorrectly report that a file is accessible.

GO-2022-1095: Due to unsanitized NUL values, attackers may be able to maliciously set environment variables on Windows. In syscall.StartProcess and os/exec.Cmd, invalid environment variable values containing NUL values are not properly checked for. A malicious environment variable value can exploit this behavior to set a value for a different environment variable. For example, the environment variable string "A=B\x00C=D" sets the variables "A=B" and "C=D".

go1.12.10

Sep 25, 2019 GO-2022-0289GO-2022-0493GO-2022-1095

GO-2022-0289: When a Go program running on a Unix system is out of file descriptors and calls syscall.ForkExec (including indirectly by using the os/exec package), syscall.ForkExec can close file descriptor 0 as it fails. If this happens (or can be provoked) repeatedly, it can result in misdirected I/O such as writing network traffic intended for one connection to a different connection, or content intended for one file to a different one. For users who cannot immediately update to the new release, the bug can be mitigated by raising the per-process file descriptor limit.

GO-2022-0493: When called with a non-zero flags parameter, the Faccessat function can incorrectly report that a file is accessible.

GO-2022-1095: Due to unsanitized NUL values, attackers may be able to maliciously set environment variables on Windows. In syscall.StartProcess and os/exec.Cmd, invalid environment variable values containing NUL values are not properly checked for. A malicious environment variable value can exploit this behavior to set a value for a different environment variable. For example, the environment variable string "A=B\x00C=D" sets the variables "A=B" and "C=D".

go1.12.9

Aug 15, 2019 GO-2022-0289GO-2022-0493GO-2022-1095

GO-2022-0289: When a Go program running on a Unix system is out of file descriptors and calls syscall.ForkExec (including indirectly by using the os/exec package), syscall.ForkExec can close file descriptor 0 as it fails. If this happens (or can be provoked) repeatedly, it can result in misdirected I/O such as writing network traffic intended for one connection to a different connection, or content intended for one file to a different one. For users who cannot immediately update to the new release, the bug can be mitigated by raising the per-process file descriptor limit.

GO-2022-0493: When called with a non-zero flags parameter, the Faccessat function can incorrectly report that a file is accessible.

GO-2022-1095: Due to unsanitized NUL values, attackers may be able to maliciously set environment variables on Windows. In syscall.StartProcess and os/exec.Cmd, invalid environment variable values containing NUL values are not properly checked for. A malicious environment variable value can exploit this behavior to set a value for a different environment variable. For example, the environment variable string "A=B\x00C=D" sets the variables "A=B" and "C=D".

go1.12.8

Aug 13, 2019 GO-2022-0289GO-2022-0493GO-2022-1095

GO-2022-0289: When a Go program running on a Unix system is out of file descriptors and calls syscall.ForkExec (including indirectly by using the os/exec package), syscall.ForkExec can close file descriptor 0 as it fails. If this happens (or can be provoked) repeatedly, it can result in misdirected I/O such as writing network traffic intended for one connection to a different connection, or content intended for one file to a different one. For users who cannot immediately update to the new release, the bug can be mitigated by raising the per-process file descriptor limit.

GO-2022-0493: When called with a non-zero flags parameter, the Faccessat function can incorrectly report that a file is accessible.

GO-2022-1095: Due to unsanitized NUL values, attackers may be able to maliciously set environment variables on Windows. In syscall.StartProcess and os/exec.Cmd, invalid environment variable values containing NUL values are not properly checked for. A malicious environment variable value can exploit this behavior to set a value for a different environment variable. For example, the environment variable string "A=B\x00C=D" sets the variables "A=B" and "C=D".

go1.12.7

Jul 8, 2019 GO-2022-0289GO-2022-0493GO-2022-1095

GO-2022-0289: When a Go program running on a Unix system is out of file descriptors and calls syscall.ForkExec (including indirectly by using the os/exec package), syscall.ForkExec can close file descriptor 0 as it fails. If this happens (or can be provoked) repeatedly, it can result in misdirected I/O such as writing network traffic intended for one connection to a different connection, or content intended for one file to a different one. For users who cannot immediately update to the new release, the bug can be mitigated by raising the per-process file descriptor limit.

GO-2022-0493: When called with a non-zero flags parameter, the Faccessat function can incorrectly report that a file is accessible.

GO-2022-1095: Due to unsanitized NUL values, attackers may be able to maliciously set environment variables on Windows. In syscall.StartProcess and os/exec.Cmd, invalid environment variable values containing NUL values are not properly checked for. A malicious environment variable value can exploit this behavior to set a value for a different environment variable. For example, the environment variable string "A=B\x00C=D" sets the variables "A=B" and "C=D".

go1.12.6

Jun 11, 2019 GO-2022-0289GO-2022-0493GO-2022-1095

GO-2022-0289: When a Go program running on a Unix system is out of file descriptors and calls syscall.ForkExec (including indirectly by using the os/exec package), syscall.ForkExec can close file descriptor 0 as it fails. If this happens (or can be provoked) repeatedly, it can result in misdirected I/O such as writing network traffic intended for one connection to a different connection, or content intended for one file to a different one. For users who cannot immediately update to the new release, the bug can be mitigated by raising the per-process file descriptor limit.

GO-2022-0493: When called with a non-zero flags parameter, the Faccessat function can incorrectly report that a file is accessible.

GO-2022-1095: Due to unsanitized NUL values, attackers may be able to maliciously set environment variables on Windows. In syscall.StartProcess and os/exec.Cmd, invalid environment variable values containing NUL values are not properly checked for. A malicious environment variable value can exploit this behavior to set a value for a different environment variable. For example, the environment variable string "A=B\x00C=D" sets the variables "A=B" and "C=D".

go1.12.5

May 6, 2019 GO-2022-0289GO-2022-0493GO-2022-1095

GO-2022-0289: When a Go program running on a Unix system is out of file descriptors and calls syscall.ForkExec (including indirectly by using the os/exec package), syscall.ForkExec can close file descriptor 0 as it fails. If this happens (or can be provoked) repeatedly, it can result in misdirected I/O such as writing network traffic intended for one connection to a different connection, or content intended for one file to a different one. For users who cannot immediately update to the new release, the bug can be mitigated by raising the per-process file descriptor limit.

GO-2022-0493: When called with a non-zero flags parameter, the Faccessat function can incorrectly report that a file is accessible.

GO-2022-1095: Due to unsanitized NUL values, attackers may be able to maliciously set environment variables on Windows. In syscall.StartProcess and os/exec.Cmd, invalid environment variable values containing NUL values are not properly checked for. A malicious environment variable value can exploit this behavior to set a value for a different environment variable. For example, the environment variable string "A=B\x00C=D" sets the variables "A=B" and "C=D".

go1.12.4

Apr 11, 2019 GO-2022-0289GO-2022-0493GO-2022-1095

GO-2022-0289: When a Go program running on a Unix system is out of file descriptors and calls syscall.ForkExec (including indirectly by using the os/exec package), syscall.ForkExec can close file descriptor 0 as it fails. If this happens (or can be provoked) repeatedly, it can result in misdirected I/O such as writing network traffic intended for one connection to a different connection, or content intended for one file to a different one. For users who cannot immediately update to the new release, the bug can be mitigated by raising the per-process file descriptor limit.

GO-2022-0493: When called with a non-zero flags parameter, the Faccessat function can incorrectly report that a file is accessible.

GO-2022-1095: Due to unsanitized NUL values, attackers may be able to maliciously set environment variables on Windows. In syscall.StartProcess and os/exec.Cmd, invalid environment variable values containing NUL values are not properly checked for. A malicious environment variable value can exploit this behavior to set a value for a different environment variable. For example, the environment variable string "A=B\x00C=D" sets the variables "A=B" and "C=D".

go1.12.3

Apr 8, 2019 GO-2022-0289GO-2022-0493GO-2022-1095

GO-2022-0289: When a Go program running on a Unix system is out of file descriptors and calls syscall.ForkExec (including indirectly by using the os/exec package), syscall.ForkExec can close file descriptor 0 as it fails. If this happens (or can be provoked) repeatedly, it can result in misdirected I/O such as writing network traffic intended for one connection to a different connection, or content intended for one file to a different one. For users who cannot immediately update to the new release, the bug can be mitigated by raising the per-process file descriptor limit.

GO-2022-0493: When called with a non-zero flags parameter, the Faccessat function can incorrectly report that a file is accessible.

GO-2022-1095: Due to unsanitized NUL values, attackers may be able to maliciously set environment variables on Windows. In syscall.StartProcess and os/exec.Cmd, invalid environment variable values containing NUL values are not properly checked for. A malicious environment variable value can exploit this behavior to set a value for a different environment variable. For example, the environment variable string "A=B\x00C=D" sets the variables "A=B" and "C=D".

go1.12.2

Apr 5, 2019 GO-2022-0289GO-2022-0493GO-2022-1095

GO-2022-0289: When a Go program running on a Unix system is out of file descriptors and calls syscall.ForkExec (including indirectly by using the os/exec package), syscall.ForkExec can close file descriptor 0 as it fails. If this happens (or can be provoked) repeatedly, it can result in misdirected I/O such as writing network traffic intended for one connection to a different connection, or content intended for one file to a different one. For users who cannot immediately update to the new release, the bug can be mitigated by raising the per-process file descriptor limit.

GO-2022-0493: When called with a non-zero flags parameter, the Faccessat function can incorrectly report that a file is accessible.

GO-2022-1095: Due to unsanitized NUL values, attackers may be able to maliciously set environment variables on Windows. In syscall.StartProcess and os/exec.Cmd, invalid environment variable values containing NUL values are not properly checked for. A malicious environment variable value can exploit this behavior to set a value for a different environment variable. For example, the environment variable string "A=B\x00C=D" sets the variables "A=B" and "C=D".

go1.12.1

Mar 14, 2019 GO-2022-0220GO-2022-0289GO-2022-0493GO-2022-1095

GO-2022-0220: Go on Windows misused certain LoadLibrary functionality, leading to DLL injection.

GO-2022-0289: When a Go program running on a Unix system is out of file descriptors and calls syscall.ForkExec (including indirectly by using the os/exec package), syscall.ForkExec can close file descriptor 0 as it fails. If this happens (or can be provoked) repeatedly, it can result in misdirected I/O such as writing network traffic intended for one connection to a different connection, or content intended for one file to a different one. For users who cannot immediately update to the new release, the bug can be mitigated by raising the per-process file descriptor limit.

GO-2022-0493: When called with a non-zero flags parameter, the Faccessat function can incorrectly report that a file is accessible.

GO-2022-1095: Due to unsanitized NUL values, attackers may be able to maliciously set environment variables on Windows. In syscall.StartProcess and os/exec.Cmd, invalid environment variable values containing NUL values are not properly checked for. A malicious environment variable value can exploit this behavior to set a value for a different environment variable. For example, the environment variable string "A=B\x00C=D" sets the variables "A=B" and "C=D".

go1.12

Feb 25, 2019 GO-2022-0220GO-2022-0289GO-2022-0493GO-2022-1095

GO-2022-0220: Go on Windows misused certain LoadLibrary functionality, leading to DLL injection.

GO-2022-0289: When a Go program running on a Unix system is out of file descriptors and calls syscall.ForkExec (including indirectly by using the os/exec package), syscall.ForkExec can close file descriptor 0 as it fails. If this happens (or can be provoked) repeatedly, it can result in misdirected I/O such as writing network traffic intended for one connection to a different connection, or content intended for one file to a different one. For users who cannot immediately update to the new release, the bug can be mitigated by raising the per-process file descriptor limit.

GO-2022-0493: When called with a non-zero flags parameter, the Faccessat function can incorrectly report that a file is accessible.

GO-2022-1095: Due to unsanitized NUL values, attackers may be able to maliciously set environment variables on Windows. In syscall.StartProcess and os/exec.Cmd, invalid environment variable values containing NUL values are not properly checked for. A malicious environment variable value can exploit this behavior to set a value for a different environment variable. For example, the environment variable string "A=B\x00C=D" sets the variables "A=B" and "C=D".

Changes in this version

+ const UNIX_PATH_MAX — windows/amd64

type Errno — windows/amd64

+ func Syscall18(...) (r1, r2 uintptr, err Errno)

+ type RawSockaddrUnix struct — windows/amd64

+ Family uint16

+ Path [UNIX_PATH_MAX]int8

type Signal — js/wasm

+ const SIGTERM

go1.12rc1

Feb 11, 2019 GO-2022-0289GO-2022-0493GO-2022-1095

GO-2022-0289: When a Go program running on a Unix system is out of file descriptors and calls syscall.ForkExec (including indirectly by using the os/exec package), syscall.ForkExec can close file descriptor 0 as it fails. If this happens (or can be provoked) repeatedly, it can result in misdirected I/O such as writing network traffic intended for one connection to a different connection, or content intended for one file to a different one. For users who cannot immediately update to the new release, the bug can be mitigated by raising the per-process file descriptor limit.

GO-2022-0493: When called with a non-zero flags parameter, the Faccessat function can incorrectly report that a file is accessible.

GO-2022-1095: Due to unsanitized NUL values, attackers may be able to maliciously set environment variables on Windows. In syscall.StartProcess and os/exec.Cmd, invalid environment variable values containing NUL values are not properly checked for. A malicious environment variable value can exploit this behavior to set a value for a different environment variable. For example, the environment variable string "A=B\x00C=D" sets the variables "A=B" and "C=D".

go1.12beta2

Jan 10, 2019 GO-2022-0289GO-2022-0493GO-2022-1095

GO-2022-0289: When a Go program running on a Unix system is out of file descriptors and calls syscall.ForkExec (including indirectly by using the os/exec package), syscall.ForkExec can close file descriptor 0 as it fails. If this happens (or can be provoked) repeatedly, it can result in misdirected I/O such as writing network traffic intended for one connection to a different connection, or content intended for one file to a different one. For users who cannot immediately update to the new release, the bug can be mitigated by raising the per-process file descriptor limit.

GO-2022-0493: When called with a non-zero flags parameter, the Faccessat function can incorrectly report that a file is accessible.

GO-2022-1095: Due to unsanitized NUL values, attackers may be able to maliciously set environment variables on Windows. In syscall.StartProcess and os/exec.Cmd, invalid environment variable values containing NUL values are not properly checked for. A malicious environment variable value can exploit this behavior to set a value for a different environment variable. For example, the environment variable string "A=B\x00C=D" sets the variables "A=B" and "C=D".

go1.12beta1

Dec 18, 2018 GO-2022-0289GO-2022-0493GO-2022-1095

GO-2022-0289: When a Go program running on a Unix system is out of file descriptors and calls syscall.ForkExec (including indirectly by using the os/exec package), syscall.ForkExec can close file descriptor 0 as it fails. If this happens (or can be provoked) repeatedly, it can result in misdirected I/O such as writing network traffic intended for one connection to a different connection, or content intended for one file to a different one. For users who cannot immediately update to the new release, the bug can be mitigated by raising the per-process file descriptor limit.

GO-2022-0493: When called with a non-zero flags parameter, the Faccessat function can incorrectly report that a file is accessible.

GO-2022-1095: Due to unsanitized NUL values, attackers may be able to maliciously set environment variables on Windows. In syscall.StartProcess and os/exec.Cmd, invalid environment variable values containing NUL values are not properly checked for. A malicious environment variable value can exploit this behavior to set a value for a different environment variable. For example, the environment variable string "A=B\x00C=D" sets the variables "A=B" and "C=D".

go1.11.13

Aug 13, 2019 GO-2022-0289GO-2022-0493GO-2022-1095

GO-2022-0289: When a Go program running on a Unix system is out of file descriptors and calls syscall.ForkExec (including indirectly by using the os/exec package), syscall.ForkExec can close file descriptor 0 as it fails. If this happens (or can be provoked) repeatedly, it can result in misdirected I/O such as writing network traffic intended for one connection to a different connection, or content intended for one file to a different one. For users who cannot immediately update to the new release, the bug can be mitigated by raising the per-process file descriptor limit.

GO-2022-0493: When called with a non-zero flags parameter, the Faccessat function can incorrectly report that a file is accessible.

GO-2022-1095: Due to unsanitized NUL values, attackers may be able to maliciously set environment variables on Windows. In syscall.StartProcess and os/exec.Cmd, invalid environment variable values containing NUL values are not properly checked for. A malicious environment variable value can exploit this behavior to set a value for a different environment variable. For example, the environment variable string "A=B\x00C=D" sets the variables "A=B" and "C=D".

go1.11.12

Jul 8, 2019 GO-2022-0289GO-2022-0493GO-2022-1095

GO-2022-0289: When a Go program running on a Unix system is out of file descriptors and calls syscall.ForkExec (including indirectly by using the os/exec package), syscall.ForkExec can close file descriptor 0 as it fails. If this happens (or can be provoked) repeatedly, it can result in misdirected I/O such as writing network traffic intended for one connection to a different connection, or content intended for one file to a different one. For users who cannot immediately update to the new release, the bug can be mitigated by raising the per-process file descriptor limit.

GO-2022-0493: When called with a non-zero flags parameter, the Faccessat function can incorrectly report that a file is accessible.

GO-2022-1095: Due to unsanitized NUL values, attackers may be able to maliciously set environment variables on Windows. In syscall.StartProcess and os/exec.Cmd, invalid environment variable values containing NUL values are not properly checked for. A malicious environment variable value can exploit this behavior to set a value for a different environment variable. For example, the environment variable string "A=B\x00C=D" sets the variables "A=B" and "C=D".

go1.11.11

Jun 11, 2019 GO-2022-0289GO-2022-0493GO-2022-1095

GO-2022-0289: When a Go program running on a Unix system is out of file descriptors and calls syscall.ForkExec (including indirectly by using the os/exec package), syscall.ForkExec can close file descriptor 0 as it fails. If this happens (or can be provoked) repeatedly, it can result in misdirected I/O such as writing network traffic intended for one connection to a different connection, or content intended for one file to a different one. For users who cannot immediately update to the new release, the bug can be mitigated by raising the per-process file descriptor limit.

GO-2022-0493: When called with a non-zero flags parameter, the Faccessat function can incorrectly report that a file is accessible.

GO-2022-1095: Due to unsanitized NUL values, attackers may be able to maliciously set environment variables on Windows. In syscall.StartProcess and os/exec.Cmd, invalid environment variable values containing NUL values are not properly checked for. A malicious environment variable value can exploit this behavior to set a value for a different environment variable. For example, the environment variable string "A=B\x00C=D" sets the variables "A=B" and "C=D".

go1.11.10

May 6, 2019 GO-2022-0289GO-2022-0493GO-2022-1095

GO-2022-0289: When a Go program running on a Unix system is out of file descriptors and calls syscall.ForkExec (including indirectly by using the os/exec package), syscall.ForkExec can close file descriptor 0 as it fails. If this happens (or can be provoked) repeatedly, it can result in misdirected I/O such as writing network traffic intended for one connection to a different connection, or content intended for one file to a different one. For users who cannot immediately update to the new release, the bug can be mitigated by raising the per-process file descriptor limit.

GO-2022-0493: When called with a non-zero flags parameter, the Faccessat function can incorrectly report that a file is accessible.

GO-2022-1095: Due to unsanitized NUL values, attackers may be able to maliciously set environment variables on Windows. In syscall.StartProcess and os/exec.Cmd, invalid environment variable values containing NUL values are not properly checked for. A malicious environment variable value can exploit this behavior to set a value for a different environment variable. For example, the environment variable string "A=B\x00C=D" sets the variables "A=B" and "C=D".

go1.11.9

Apr 11, 2019 GO-2022-0220GO-2022-0289GO-2022-0493GO-2022-1095

GO-2022-0220: Go on Windows misused certain LoadLibrary functionality, leading to DLL injection.

GO-2022-0289: When a Go program running on a Unix system is out of file descriptors and calls syscall.ForkExec (including indirectly by using the os/exec package), syscall.ForkExec can close file descriptor 0 as it fails. If this happens (or can be provoked) repeatedly, it can result in misdirected I/O such as writing network traffic intended for one connection to a different connection, or content intended for one file to a different one. For users who cannot immediately update to the new release, the bug can be mitigated by raising the per-process file descriptor limit.

GO-2022-0493: When called with a non-zero flags parameter, the Faccessat function can incorrectly report that a file is accessible.

GO-2022-1095: Due to unsanitized NUL values, attackers may be able to maliciously set environment variables on Windows. In syscall.StartProcess and os/exec.Cmd, invalid environment variable values containing NUL values are not properly checked for. A malicious environment variable value can exploit this behavior to set a value for a different environment variable. For example, the environment variable string "A=B\x00C=D" sets the variables "A=B" and "C=D".

go1.11.8

Apr 8, 2019 GO-2022-0220GO-2022-0289GO-2022-0493GO-2022-1095

GO-2022-0220: Go on Windows misused certain LoadLibrary functionality, leading to DLL injection.

GO-2022-0289: When a Go program running on a Unix system is out of file descriptors and calls syscall.ForkExec (including indirectly by using the os/exec package), syscall.ForkExec can close file descriptor 0 as it fails. If this happens (or can be provoked) repeatedly, it can result in misdirected I/O such as writing network traffic intended for one connection to a different connection, or content intended for one file to a different one. For users who cannot immediately update to the new release, the bug can be mitigated by raising the per-process file descriptor limit.

GO-2022-0493: When called with a non-zero flags parameter, the Faccessat function can incorrectly report that a file is accessible.

GO-2022-1095: Due to unsanitized NUL values, attackers may be able to maliciously set environment variables on Windows. In syscall.StartProcess and os/exec.Cmd, invalid environment variable values containing NUL values are not properly checked for. A malicious environment variable value can exploit this behavior to set a value for a different environment variable. For example, the environment variable string "A=B\x00C=D" sets the variables "A=B" and "C=D".

go1.11.7

Apr 5, 2019 GO-2022-0220GO-2022-0289GO-2022-0493GO-2022-1095

GO-2022-0220: Go on Windows misused certain LoadLibrary functionality, leading to DLL injection.

GO-2022-0289: When a Go program running on a Unix system is out of file descriptors and calls syscall.ForkExec (including indirectly by using the os/exec package), syscall.ForkExec can close file descriptor 0 as it fails. If this happens (or can be provoked) repeatedly, it can result in misdirected I/O such as writing network traffic intended for one connection to a different connection, or content intended for one file to a different one. For users who cannot immediately update to the new release, the bug can be mitigated by raising the per-process file descriptor limit.

GO-2022-0493: When called with a non-zero flags parameter, the Faccessat function can incorrectly report that a file is accessible.

GO-2022-1095: Due to unsanitized NUL values, attackers may be able to maliciously set environment variables on Windows. In syscall.StartProcess and os/exec.Cmd, invalid environment variable values containing NUL values are not properly checked for. A malicious environment variable value can exploit this behavior to set a value for a different environment variable. For example, the environment variable string "A=B\x00C=D" sets the variables "A=B" and "C=D".

go1.11.6

Mar 14, 2019 GO-2022-0220GO-2022-0289GO-2022-0493GO-2022-1095

GO-2022-0220: Go on Windows misused certain LoadLibrary functionality, leading to DLL injection.

GO-2022-0289: When a Go program running on a Unix system is out of file descriptors and calls syscall.ForkExec (including indirectly by using the os/exec package), syscall.ForkExec can close file descriptor 0 as it fails. If this happens (or can be provoked) repeatedly, it can result in misdirected I/O such as writing network traffic intended for one connection to a different connection, or content intended for one file to a different one. For users who cannot immediately update to the new release, the bug can be mitigated by raising the per-process file descriptor limit.

GO-2022-0493: When called with a non-zero flags parameter, the Faccessat function can incorrectly report that a file is accessible.

GO-2022-1095: Due to unsanitized NUL values, attackers may be able to maliciously set environment variables on Windows. In syscall.StartProcess and os/exec.Cmd, invalid environment variable values containing NUL values are not properly checked for. A malicious environment variable value can exploit this behavior to set a value for a different environment variable. For example, the environment variable string "A=B\x00C=D" sets the variables "A=B" and "C=D".

go1.11.5

Jan 23, 2019 GO-2022-0220GO-2022-0289GO-2022-0493GO-2022-1095

GO-2022-0220: Go on Windows misused certain LoadLibrary functionality, leading to DLL injection.

GO-2022-0289: When a Go program running on a Unix system is out of file descriptors and calls syscall.ForkExec (including indirectly by using the os/exec package), syscall.ForkExec can close file descriptor 0 as it fails. If this happens (or can be provoked) repeatedly, it can result in misdirected I/O such as writing network traffic intended for one connection to a different connection, or content intended for one file to a different one. For users who cannot immediately update to the new release, the bug can be mitigated by raising the per-process file descriptor limit.

GO-2022-0493: When called with a non-zero flags parameter, the Faccessat function can incorrectly report that a file is accessible.

GO-2022-1095: Due to unsanitized NUL values, attackers may be able to maliciously set environment variables on Windows. In syscall.StartProcess and os/exec.Cmd, invalid environment variable values containing NUL values are not properly checked for. A malicious environment variable value can exploit this behavior to set a value for a different environment variable. For example, the environment variable string "A=B\x00C=D" sets the variables "A=B" and "C=D".

go1.11.4

Dec 14, 2018 GO-2022-0220GO-2022-0289GO-2022-0493GO-2022-1095

GO-2022-0220: Go on Windows misused certain LoadLibrary functionality, leading to DLL injection.

GO-2022-0289: When a Go program running on a Unix system is out of file descriptors and calls syscall.ForkExec (including indirectly by using the os/exec package), syscall.ForkExec can close file descriptor 0 as it fails. If this happens (or can be provoked) repeatedly, it can result in misdirected I/O such as writing network traffic intended for one connection to a different connection, or content intended for one file to a different one. For users who cannot immediately update to the new release, the bug can be mitigated by raising the per-process file descriptor limit.

GO-2022-0493: When called with a non-zero flags parameter, the Faccessat function can incorrectly report that a file is accessible.

GO-2022-1095: Due to unsanitized NUL values, attackers may be able to maliciously set environment variables on Windows. In syscall.StartProcess and os/exec.Cmd, invalid environment variable values containing NUL values are not properly checked for. A malicious environment variable value can exploit this behavior to set a value for a different environment variable. For example, the environment variable string "A=B\x00C=D" sets the variables "A=B" and "C=D".

go1.11.3

Dec 13, 2018 GO-2022-0220GO-2022-0289GO-2022-0493GO-2022-1095

GO-2022-0220: Go on Windows misused certain LoadLibrary functionality, leading to DLL injection.

GO-2022-0289: When a Go program running on a Unix system is out of file descriptors and calls syscall.ForkExec (including indirectly by using the os/exec package), syscall.ForkExec can close file descriptor 0 as it fails. If this happens (or can be provoked) repeatedly, it can result in misdirected I/O such as writing network traffic intended for one connection to a different connection, or content intended for one file to a different one. For users who cannot immediately update to the new release, the bug can be mitigated by raising the per-process file descriptor limit.

GO-2022-0493: When called with a non-zero flags parameter, the Faccessat function can incorrectly report that a file is accessible.

GO-2022-1095: Due to unsanitized NUL values, attackers may be able to maliciously set environment variables on Windows. In syscall.StartProcess and os/exec.Cmd, invalid environment variable values containing NUL values are not properly checked for. A malicious environment variable value can exploit this behavior to set a value for a different environment variable. For example, the environment variable string "A=B\x00C=D" sets the variables "A=B" and "C=D".

go1.11.2

Nov 2, 2018 GO-2022-0220GO-2022-0289GO-2022-0493GO-2022-1095

GO-2022-0220: Go on Windows misused certain LoadLibrary functionality, leading to DLL injection.

GO-2022-0289: When a Go program running on a Unix system is out of file descriptors and calls syscall.ForkExec (including indirectly by using the os/exec package), syscall.ForkExec can close file descriptor 0 as it fails. If this happens (or can be provoked) repeatedly, it can result in misdirected I/O such as writing network traffic intended for one connection to a different connection, or content intended for one file to a different one. For users who cannot immediately update to the new release, the bug can be mitigated by raising the per-process file descriptor limit.

GO-2022-0493: When called with a non-zero flags parameter, the Faccessat function can incorrectly report that a file is accessible.

GO-2022-1095: Due to unsanitized NUL values, attackers may be able to maliciously set environment variables on Windows. In syscall.StartProcess and os/exec.Cmd, invalid environment variable values containing NUL values are not properly checked for. A malicious environment variable value can exploit this behavior to set a value for a different environment variable. For example, the environment variable string "A=B\x00C=D" sets the variables "A=B" and "C=D".

go1.11.1

Oct 1, 2018 GO-2022-0220GO-2022-0289GO-2022-0493GO-2022-1095

GO-2022-0220: Go on Windows misused certain LoadLibrary functionality, leading to DLL injection.

GO-2022-0289: When a Go program running on a Unix system is out of file descriptors and calls syscall.ForkExec (including indirectly by using the os/exec package), syscall.ForkExec can close file descriptor 0 as it fails. If this happens (or can be provoked) repeatedly, it can result in misdirected I/O such as writing network traffic intended for one connection to a different connection, or content intended for one file to a different one. For users who cannot immediately update to the new release, the bug can be mitigated by raising the per-process file descriptor limit.

GO-2022-0493: When called with a non-zero flags parameter, the Faccessat function can incorrectly report that a file is accessible.

GO-2022-1095: Due to unsanitized NUL values, attackers may be able to maliciously set environment variables on Windows. In syscall.StartProcess and os/exec.Cmd, invalid environment variable values containing NUL values are not properly checked for. A malicious environment variable value can exploit this behavior to set a value for a different environment variable. For example, the environment variable string "A=B\x00C=D" sets the variables "A=B" and "C=D".

go1.11

Aug 24, 2018 GO-2022-0220GO-2022-0289GO-2022-0493GO-2022-1095

GO-2022-0220: Go on Windows misused certain LoadLibrary functionality, leading to DLL injection.

GO-2022-0289: When a Go program running on a Unix system is out of file descriptors and calls syscall.ForkExec (including indirectly by using the os/exec package), syscall.ForkExec can close file descriptor 0 as it fails. If this happens (or can be provoked) repeatedly, it can result in misdirected I/O such as writing network traffic intended for one connection to a different connection, or content intended for one file to a different one. For users who cannot immediately update to the new release, the bug can be mitigated by raising the per-process file descriptor limit.

GO-2022-0493: When called with a non-zero flags parameter, the Faccessat function can incorrectly report that a file is accessible.

GO-2022-1095: Due to unsanitized NUL values, attackers may be able to maliciously set environment variables on Windows. In syscall.StartProcess and os/exec.Cmd, invalid environment variable values containing NUL values are not properly checked for. A malicious environment variable value can exploit this behavior to set a value for a different environment variable. For example, the environment variable string "A=B\x00C=D" sets the variables "A=B" and "C=D".

Changes in this version

+ const AF_INET — js/wasm

+ const AF_INET6 — js/wasm

+ const AF_UNIX — js/wasm

+ const AF_UNSPEC — js/wasm

+ const F_CNVT — js/wasm

+ const F_DUPFD — js/wasm

+ const F_DUPFD_CLOEXEC — js/wasm

+ const F_GETFD — js/wasm

+ const F_GETFL — js/wasm

+ const F_GETLK — js/wasm

+ const F_GETOWN — js/wasm

+ const F_RDLCK — js/wasm

+ const F_RGETLK — js/wasm

+ const F_RSETLK — js/wasm

+ const F_RSETLKW — js/wasm

+ const F_SETFD — js/wasm

+ const F_SETFL — js/wasm

+ const F_SETLK — js/wasm

+ const F_SETLKW — js/wasm

+ const F_SETOWN — js/wasm

+ const F_UNLCK — js/wasm

+ const F_UNLKSYS — js/wasm

+ const F_WRLCK — js/wasm

+ const IPPROTO_IP — js/wasm

+ const IPPROTO_IPV4 — js/wasm

+ const IPPROTO_IPV6 — js/wasm

+ const IPPROTO_TCP — js/wasm

+ const IPPROTO_UDP — js/wasm

+ const IPV6_V6ONLY — js/wasm

+ const ImplementsGetwd — js/wasm

+ const O_APPEND — js/wasm

+ const O_CLOEXEC — js/wasm

+ const O_CREAT — js/wasm

+ const O_CREATE — js/wasm

+ const O_EXCL — js/wasm

+ const O_RDONLY — js/wasm

+ const O_RDWR — js/wasm

+ const O_SYNC — js/wasm

+ const O_TRUNC — js/wasm

+ const O_WRONLY — js/wasm

+ const PathMax — js/wasm

+ const SOCK_DGRAM — js/wasm

+ const SOCK_RAW — js/wasm

+ const SOCK_SEQPACKET — js/wasm

+ const SOCK_STREAM — js/wasm

+ const SOMAXCONN — js/wasm

+ const SO_ERROR — js/wasm

+ const SYS_FCNTL — js/wasm

+ const S_IEXEC — js/wasm

+ const S_IFBLK — js/wasm

+ const S_IFBOUNDSOCK — js/wasm

+ const S_IFCHR — js/wasm

+ const S_IFCOND — js/wasm

+ const S_IFDIR — js/wasm

+ const S_IFDSOCK — js/wasm

+ const S_IFIFO — js/wasm

+ const S_IFLNK — js/wasm

+ const S_IFMT — js/wasm

+ const S_IFMUTEX — js/wasm

+ const S_IFREG — js/wasm

+ const S_IFSEMA — js/wasm

+ const S_IFSHM — js/wasm

+ const S_IFSHM_SYSV — js/wasm

+ const S_IFSOCK — js/wasm

+ const S_IFSOCKADDR — js/wasm

+ const S_IREAD — js/wasm

+ const S_IRGRP — js/wasm

+ const S_IROTH — js/wasm

+ const S_IRUSR — js/wasm

+ const S_IRWXG — js/wasm

+ const S_IRWXO — js/wasm

+ const S_IRWXU — js/wasm

+ const S_ISGID — js/wasm

+ const S_ISUID — js/wasm

+ const S_ISVTX — js/wasm

+ const S_IWGRP — js/wasm

+ const S_IWOTH — js/wasm

+ const S_IWRITE — js/wasm

+ const S_IWUSR — js/wasm

+ const S_IXGRP — js/wasm

+ const S_IXOTH — js/wasm

+ const S_IXUSR — js/wasm

+ const S_UNSUP — js/wasm

+ const Stderr — js/wasm

+ const Stdin — js/wasm

+ const Stdout — js/wasm

+ const TOKEN_ADJUST_SESSIONID — windows/amd64

+ var ForkLock sync.RWMutex — js/wasm

+ func Bind(fd int, sa Sockaddr) error — js/wasm

+ func Chdir(path string) (err error) — js/wasm

+ func Chmod(path string, mode uint32) error — js/wasm

+ func Chown(path string, uid, gid int) error — js/wasm

+ func Clearenv() — js/wasm

+ func Close(fd int) error — js/wasm

+ func CloseOnExec(fd int) — js/wasm

+ func Connect(fd int, sa Sockaddr) error — js/wasm

+ func Dup(fd int) (int, error) — js/wasm

+ func Dup2(fd, newfd int) error — js/wasm

+ func Environ() []string — js/wasm

+ func Fchdir(fd int) error — js/wasm

+ func Fchmod(fd int, mode uint32) error — js/wasm

+ func Fchown(fd int, uid, gid int) error — js/wasm

+ func Fstat(fd int, st *Stat_t) error — js/wasm

+ func Fsync(fd int) error — js/wasm

+ func Ftruncate(fd int, length int64) error — js/wasm

+ func Getcwd(buf []byte) (n int, err error) — js/wasm

+ func Getegid() int — js/wasm

+ func Getenv(key string) (value string, found bool) — js/wasm

+ func Geteuid() int — js/wasm

+ func Getgid() int — js/wasm

+ func Getgroups() ([]int, error) — js/wasm

+ func Getpid() int — js/wasm

+ func Getppid() int — js/wasm

+ func GetsockoptInt(fd, level, opt int) (value int, err error) — js/wasm

+ func Gettimeofday(tv *Timeval) error — js/wasm

+ func Getuid() int — js/wasm

+ func Getwd() (wd string, err error) — js/wasm

+ func Kill(pid int, signum Signal) error — js/wasm

+ func Lchown(path string, uid, gid int) error — js/wasm

+ func Link(path, link string) error — js/wasm

+ func Listen(fd int, backlog int) error — js/wasm

+ func Lstat(path string, st *Stat_t) error — js/wasm

+ func Mkdir(path string, perm uint32) error — js/wasm

+ func Open(path string, openmode int, perm uint32) (int, error) — js/wasm

+ func ParseDirent(buf []byte, max int, names []string) (consumed int, count int, newnames []string) — js/wasm

+ func Pipe(fd []int) error — js/wasm

+ func Pread(fd int, b []byte, offset int64) (int, error) — js/wasm

+ func Pwrite(fd int, b []byte, offset int64) (int, error) — js/wasm

+ func Read(fd int, b []byte) (int, error) — js/wasm

+ func ReadDirent(fd int, buf []byte) (int, error) — js/wasm

+ func Readlink(path string, buf []byte) (n int, err error) — js/wasm

+ func Rename(from, to string) error — js/wasm

+ func Rmdir(path string) error — js/wasm

+ func Seek(fd int, offset int64, whence int) (int64, error) — js/wasm

+ func Sendfile(outfd int, infd int, offset *int64, count int) (written int, err error) — js/wasm

+ func SendmsgN(fd int, p, oob []byte, to Sockaddr, flags int) (n int, err error) — js/wasm

+ func Sendto(fd int, p []byte, flags int, to Sockaddr) error — js/wasm

+ func SetNonblock(fd int, nonblocking bool) error — js/wasm

+ func SetReadDeadline(fd int, t int64) error — js/wasm

+ func SetWriteDeadline(fd int, t int64) error — js/wasm

+ func Setenv(key, value string) error — js/wasm

+ func SetsockoptInt(fd, level, opt int, value int) error — js/wasm

+ func Shutdown(fd int, how int) error — js/wasm

+ func Socket(proto, sotype, unused int) (fd int, err error) — js/wasm

+ func StartProcess(argv0 string, argv []string, attr *ProcAttr) (pid int, handle uintptr, err error) — js/wasm

+ func Stat(path string, st *Stat_t) error — js/wasm

+ func StopIO(fd int) error — js/wasm

+ func Symlink(path, link string) error — js/wasm

+ func Sysctl(key string) (string, error) — js/wasm

+ func TimespecToNsec(ts Timespec) int64 — js/wasm

+ func TimevalToNsec(tv Timeval) int64 — js/wasm

+ func Truncate(path string, length int64) error — js/wasm

+ func Unlink(path string) error — js/wasm

+ func Unsetenv(key string) error — js/wasm

+ func UtimesNano(path string, ts []Timespec) error — js/wasm

+ func Wait4(pid int, wstatus *WaitStatus, options int, rusage *Rusage) (wpid int, err error) — js/wasm

+ func Write(fd int, b []byte) (int, error) — js/wasm

+ type CertInfo struct — windows/amd64

+ type CertRevocationCrlInfo struct — windows/amd64

+ type CertTrustListInfo struct — windows/amd64

+ type Dirent struct — js/wasm

+ Name [256]byte

+ Reclen uint16

+ type Errno uintptr — js/wasm

+ const E2BIG

+ const EACCES

+ const EADDRINUSE

+ const EADDRNOTAVAIL

+ const EADV

+ const EAFNOSUPPORT

+ const EAGAIN

+ const EALREADY

+ const EBADE

+ const EBADF

+ const EBADFD

+ const EBADMSG

+ const EBADR

+ const EBADRQC

+ const EBADSLT

+ const EBFONT

+ const EBUSY

+ const ECANCELED

+ const ECASECLASH

+ const ECHILD

+ const ECHRNG

+ const ECOMM

+ const ECONNABORTED

+ const ECONNREFUSED

+ const ECONNRESET

+ const EDEADLK

+ const EDEADLOCK

+ const EDESTADDRREQ

+ const EDOM

+ const EDOTDOT

+ const EDQUOT

+ const EEXIST

+ const EFAULT

+ const EFBIG

+ const EFTYPE

+ const EHOSTDOWN

+ const EHOSTUNREACH

+ const EIDRM

+ const EILSEQ

+ const EINPROGRESS

+ const EINTR

+ const EINVAL

+ const EIO

+ const EISCONN

+ const EISDIR

+ const EL2HLT

+ const EL2NSYNC

+ const EL3HLT

+ const EL3RST

+ const ELBIN

+ const ELIBACC

+ const ELIBBAD

+ const ELIBEXEC

+ const ELIBMAX

+ const ELIBSCN

+ const ELNRNG

+ const ELOOP

+ const EMFILE

+ const EMLINK

+ const EMSGSIZE

+ const EMULTIHOP

+ const ENAMETOOLONG

+ const ENETDOWN

+ const ENETRESET

+ const ENETUNREACH

+ const ENFILE

+ const ENMFILE

+ const ENOANO

+ const ENOBUFS

+ const ENOCSI

+ const ENODATA

+ const ENODEV

+ const ENOENT

+ const ENOEXEC

+ const ENOLCK

+ const ENOLINK

+ const ENOMEDIUM

+ const ENOMEM

+ const ENOMSG

+ const ENONET

+ const ENOPKG

+ const ENOPROTOOPT

+ const ENOSHARE

+ const ENOSPC

+ const ENOSR

+ const ENOSTR

+ const ENOSYS

+ const ENOTCONN

+ const ENOTDIR

+ const ENOTEMPTY

+ const ENOTSOCK

+ const ENOTSUP

+ const ENOTTY

+ const ENOTUNIQ

+ const ENXIO

+ const EOPNOTSUPP

+ const EOVERFLOW

+ const EPERM

+ const EPFNOSUPPORT

+ const EPIPE

+ const EPROCLIM

+ const EPROTO

+ const EPROTONOSUPPORT

+ const EPROTOTYPE

+ const ERANGE

+ const EREMCHG

+ const EREMOTE

+ const EROFS

+ const ESHUTDOWN

+ const ESOCKTNOSUPPORT

+ const ESPIPE

+ const ESRCH

+ const ESRMNT

+ const ESTALE

+ const ETIME

+ const ETIMEDOUT

+ const ETOOMANYREFS

+ const EUNATCH

+ const EUSERS

+ const EWOULDBLOCK

+ const EXDEV

+ const EXFULL

+ func RawSyscall(trap, a1, a2, a3 uintptr) (r1, r2 uintptr, err Errno)

+ func RawSyscall6(trap, a1, a2, a3, a4, a5, a6 uintptr) (r1, r2 uintptr, err Errno)

+ func Syscall(trap, a1, a2, a3 uintptr) (r1, r2 uintptr, err Errno)

+ func Syscall6(trap, a1, a2, a3, a4, a5, a6 uintptr) (r1, r2 uintptr, err Errno)

+ func (e Errno) Error() string

+ func (e Errno) Temporary() bool

+ func (e Errno) Timeout() bool

+ type Iovec struct — js/wasm

+ type Pointer *struct — windows/amd64

+ type ProcAttr struct — js/wasm

+ Dir string

+ Env []string

+ Files []uintptr

+ Sys *SysProcAttr

+ type Rusage struct — js/wasm

+ Stime Timeval

+ Utime Timeval

+ type Signal int — js/wasm

+ const SIGCHLD

+ const SIGINT

+ const SIGKILL

+ const SIGQUIT

+ const SIGTRAP

+ func (s Signal) Signal()

+ func (s Signal) String() string

+ type Sockaddr interface — js/wasm

+ func Accept(fd int) (newfd int, sa Sockaddr, err error)

+ func Recvfrom(fd int, p []byte, flags int) (n int, from Sockaddr, err error)

+ func Recvmsg(fd int, p, oob []byte, flags int) (n, oobn, recvflags int, from Sockaddr, err error)

+ type SockaddrInet4 struct — js/wasm

+ Addr [4]byte

+ Port int

+ type SockaddrInet6 struct — js/wasm

+ Addr [16]byte

+ Port int

+ ZoneId uint32

+ type SockaddrUnix struct — js/wasm

+ Name string

+ type Stat_t struct — js/wasm

+ Atime int64

+ AtimeNsec int64

+ Blksize int32

+ Blocks int32

+ Ctime int64

+ CtimeNsec int64

+ Dev int64

+ Gid uint32

+ Ino uint64

+ Mode uint32

+ Mtime int64

+ MtimeNsec int64

+ Nlink uint32

+ Rdev int64

+ Size int64

+ Uid uint32

+ type SysProcAttr struct — js/wasm

+ type Timespec struct — js/wasm

+ Nsec int64

+ Sec int64

+ func NsecToTimespec(nsec int64) Timespec

+ func (ts *Timespec) Nano() int64

+ func (ts *Timespec) Unix() (sec int64, nsec int64)

+ type Timeval struct — js/wasm

+ Sec int64

+ Usec int64

+ func NsecToTimeval(nsec int64) Timeval

+ func (tv *Timeval) Nano() int64

+ func (tv *Timeval) Unix() (sec int64, nsec int64)

+ type WaitStatus uint32 — js/wasm

+ func (w WaitStatus) Continued() bool

+ func (w WaitStatus) CoreDump() bool

+ func (w WaitStatus) ExitStatus() int

+ func (w WaitStatus) Exited() bool

+ func (w WaitStatus) Signal() Signal

+ func (w WaitStatus) Signaled() bool

+ func (w WaitStatus) StopSignal() Signal

+ func (w WaitStatus) Stopped() bool

+ func (w WaitStatus) TrapCause() int

go1.11rc2

Aug 22, 2018 GO-2022-0220GO-2022-0289GO-2022-0493GO-2022-1095

GO-2022-0220: Go on Windows misused certain LoadLibrary functionality, leading to DLL injection.

GO-2022-0289: When a Go program running on a Unix system is out of file descriptors and calls syscall.ForkExec (including indirectly by using the os/exec package), syscall.ForkExec can close file descriptor 0 as it fails. If this happens (or can be provoked) repeatedly, it can result in misdirected I/O such as writing network traffic intended for one connection to a different connection, or content intended for one file to a different one. For users who cannot immediately update to the new release, the bug can be mitigated by raising the per-process file descriptor limit.

GO-2022-0493: When called with a non-zero flags parameter, the Faccessat function can incorrectly report that a file is accessible.

GO-2022-1095: Due to unsanitized NUL values, attackers may be able to maliciously set environment variables on Windows. In syscall.StartProcess and os/exec.Cmd, invalid environment variable values containing NUL values are not properly checked for. A malicious environment variable value can exploit this behavior to set a value for a different environment variable. For example, the environment variable string "A=B\x00C=D" sets the variables "A=B" and "C=D".

go1.11rc1

Aug 13, 2018 GO-2022-0220GO-2022-0289GO-2022-0493GO-2022-1095

GO-2022-0220: Go on Windows misused certain LoadLibrary functionality, leading to DLL injection.

GO-2022-0289: When a Go program running on a Unix system is out of file descriptors and calls syscall.ForkExec (including indirectly by using the os/exec package), syscall.ForkExec can close file descriptor 0 as it fails. If this happens (or can be provoked) repeatedly, it can result in misdirected I/O such as writing network traffic intended for one connection to a different connection, or content intended for one file to a different one. For users who cannot immediately update to the new release, the bug can be mitigated by raising the per-process file descriptor limit.

GO-2022-0493: When called with a non-zero flags parameter, the Faccessat function can incorrectly report that a file is accessible.

GO-2022-1095: Due to unsanitized NUL values, attackers may be able to maliciously set environment variables on Windows. In syscall.StartProcess and os/exec.Cmd, invalid environment variable values containing NUL values are not properly checked for. A malicious environment variable value can exploit this behavior to set a value for a different environment variable. For example, the environment variable string "A=B\x00C=D" sets the variables "A=B" and "C=D".

go1.11beta3

Aug 3, 2018 GO-2022-0220GO-2022-0289GO-2022-0493GO-2022-1095

GO-2022-0220: Go on Windows misused certain LoadLibrary functionality, leading to DLL injection.

GO-2022-0289: When a Go program running on a Unix system is out of file descriptors and calls syscall.ForkExec (including indirectly by using the os/exec package), syscall.ForkExec can close file descriptor 0 as it fails. If this happens (or can be provoked) repeatedly, it can result in misdirected I/O such as writing network traffic intended for one connection to a different connection, or content intended for one file to a different one. For users who cannot immediately update to the new release, the bug can be mitigated by raising the per-process file descriptor limit.

GO-2022-0493: When called with a non-zero flags parameter, the Faccessat function can incorrectly report that a file is accessible.

GO-2022-1095: Due to unsanitized NUL values, attackers may be able to maliciously set environment variables on Windows. In syscall.StartProcess and os/exec.Cmd, invalid environment variable values containing NUL values are not properly checked for. A malicious environment variable value can exploit this behavior to set a value for a different environment variable. For example, the environment variable string "A=B\x00C=D" sets the variables "A=B" and "C=D".

go1.11beta2

Jul 19, 2018 GO-2022-0220GO-2022-0289GO-2022-0493GO-2022-1095

GO-2022-0220: Go on Windows misused certain LoadLibrary functionality, leading to DLL injection.

GO-2022-0289: When a Go program running on a Unix system is out of file descriptors and calls syscall.ForkExec (including indirectly by using the os/exec package), syscall.ForkExec can close file descriptor 0 as it fails. If this happens (or can be provoked) repeatedly, it can result in misdirected I/O such as writing network traffic intended for one connection to a different connection, or content intended for one file to a different one. For users who cannot immediately update to the new release, the bug can be mitigated by raising the per-process file descriptor limit.

GO-2022-0493: When called with a non-zero flags parameter, the Faccessat function can incorrectly report that a file is accessible.

GO-2022-1095: Due to unsanitized NUL values, attackers may be able to maliciously set environment variables on Windows. In syscall.StartProcess and os/exec.Cmd, invalid environment variable values containing NUL values are not properly checked for. A malicious environment variable value can exploit this behavior to set a value for a different environment variable. For example, the environment variable string "A=B\x00C=D" sets the variables "A=B" and "C=D".

go1.11beta1

Jun 26, 2018 GO-2022-0220GO-2022-0289GO-2022-0493GO-2022-1095

GO-2022-0220: Go on Windows misused certain LoadLibrary functionality, leading to DLL injection.

GO-2022-0289: When a Go program running on a Unix system is out of file descriptors and calls syscall.ForkExec (including indirectly by using the os/exec package), syscall.ForkExec can close file descriptor 0 as it fails. If this happens (or can be provoked) repeatedly, it can result in misdirected I/O such as writing network traffic intended for one connection to a different connection, or content intended for one file to a different one. For users who cannot immediately update to the new release, the bug can be mitigated by raising the per-process file descriptor limit.

GO-2022-0493: When called with a non-zero flags parameter, the Faccessat function can incorrectly report that a file is accessible.

GO-2022-1095: Due to unsanitized NUL values, attackers may be able to maliciously set environment variables on Windows. In syscall.StartProcess and os/exec.Cmd, invalid environment variable values containing NUL values are not properly checked for. A malicious environment variable value can exploit this behavior to set a value for a different environment variable. For example, the environment variable string "A=B\x00C=D" sets the variables "A=B" and "C=D".

go1.10.8

Jan 23, 2019 GO-2022-0220GO-2022-0289GO-2022-0493GO-2022-1095

GO-2022-0220: Go on Windows misused certain LoadLibrary functionality, leading to DLL injection.

GO-2022-0289: When a Go program running on a Unix system is out of file descriptors and calls syscall.ForkExec (including indirectly by using the os/exec package), syscall.ForkExec can close file descriptor 0 as it fails. If this happens (or can be provoked) repeatedly, it can result in misdirected I/O such as writing network traffic intended for one connection to a different connection, or content intended for one file to a different one. For users who cannot immediately update to the new release, the bug can be mitigated by raising the per-process file descriptor limit.

GO-2022-0493: When called with a non-zero flags parameter, the Faccessat function can incorrectly report that a file is accessible.

GO-2022-1095: Due to unsanitized NUL values, attackers may be able to maliciously set environment variables on Windows. In syscall.StartProcess and os/exec.Cmd, invalid environment variable values containing NUL values are not properly checked for. A malicious environment variable value can exploit this behavior to set a value for a different environment variable. For example, the environment variable string "A=B\x00C=D" sets the variables "A=B" and "C=D".

go1.10.7

Dec 14, 2018 GO-2022-0220GO-2022-0289GO-2022-0493GO-2022-1095

GO-2022-0220: Go on Windows misused certain LoadLibrary functionality, leading to DLL injection.

GO-2022-0289: When a Go program running on a Unix system is out of file descriptors and calls syscall.ForkExec (including indirectly by using the os/exec package), syscall.ForkExec can close file descriptor 0 as it fails. If this happens (or can be provoked) repeatedly, it can result in misdirected I/O such as writing network traffic intended for one connection to a different connection, or content intended for one file to a different one. For users who cannot immediately update to the new release, the bug can be mitigated by raising the per-process file descriptor limit.

GO-2022-0493: When called with a non-zero flags parameter, the Faccessat function can incorrectly report that a file is accessible.

GO-2022-1095: Due to unsanitized NUL values, attackers may be able to maliciously set environment variables on Windows. In syscall.StartProcess and os/exec.Cmd, invalid environment variable values containing NUL values are not properly checked for. A malicious environment variable value can exploit this behavior to set a value for a different environment variable. For example, the environment variable string "A=B\x00C=D" sets the variables "A=B" and "C=D".

go1.10.6

Dec 13, 2018 GO-2022-0220GO-2022-0289GO-2022-0493GO-2022-1095

GO-2022-0220: Go on Windows misused certain LoadLibrary functionality, leading to DLL injection.

GO-2022-0289: When a Go program running on a Unix system is out of file descriptors and calls syscall.ForkExec (including indirectly by using the os/exec package), syscall.ForkExec can close file descriptor 0 as it fails. If this happens (or can be provoked) repeatedly, it can result in misdirected I/O such as writing network traffic intended for one connection to a different connection, or content intended for one file to a different one. For users who cannot immediately update to the new release, the bug can be mitigated by raising the per-process file descriptor limit.

GO-2022-0493: When called with a non-zero flags parameter, the Faccessat function can incorrectly report that a file is accessible.

GO-2022-1095: Due to unsanitized NUL values, attackers may be able to maliciously set environment variables on Windows. In syscall.StartProcess and os/exec.Cmd, invalid environment variable values containing NUL values are not properly checked for. A malicious environment variable value can exploit this behavior to set a value for a different environment variable. For example, the environment variable string "A=B\x00C=D" sets the variables "A=B" and "C=D".

go1.10.5

Nov 2, 2018 GO-2022-0220GO-2022-0289GO-2022-0493GO-2022-1095

GO-2022-0220: Go on Windows misused certain LoadLibrary functionality, leading to DLL injection.

GO-2022-0289: When a Go program running on a Unix system is out of file descriptors and calls syscall.ForkExec (including indirectly by using the os/exec package), syscall.ForkExec can close file descriptor 0 as it fails. If this happens (or can be provoked) repeatedly, it can result in misdirected I/O such as writing network traffic intended for one connection to a different connection, or content intended for one file to a different one. For users who cannot immediately update to the new release, the bug can be mitigated by raising the per-process file descriptor limit.

GO-2022-0493: When called with a non-zero flags parameter, the Faccessat function can incorrectly report that a file is accessible.

GO-2022-1095: Due to unsanitized NUL values, attackers may be able to maliciously set environment variables on Windows. In syscall.StartProcess and os/exec.Cmd, invalid environment variable values containing NUL values are not properly checked for. A malicious environment variable value can exploit this behavior to set a value for a different environment variable. For example, the environment variable string "A=B\x00C=D" sets the variables "A=B" and "C=D".

go1.10.4

Aug 24, 2018 GO-2022-0220GO-2022-0289GO-2022-0493GO-2022-1095

GO-2022-0220: Go on Windows misused certain LoadLibrary functionality, leading to DLL injection.

GO-2022-0289: When a Go program running on a Unix system is out of file descriptors and calls syscall.ForkExec (including indirectly by using the os/exec package), syscall.ForkExec can close file descriptor 0 as it fails. If this happens (or can be provoked) repeatedly, it can result in misdirected I/O such as writing network traffic intended for one connection to a different connection, or content intended for one file to a different one. For users who cannot immediately update to the new release, the bug can be mitigated by raising the per-process file descriptor limit.

GO-2022-0493: When called with a non-zero flags parameter, the Faccessat function can incorrectly report that a file is accessible.

GO-2022-1095: Due to unsanitized NUL values, attackers may be able to maliciously set environment variables on Windows. In syscall.StartProcess and os/exec.Cmd, invalid environment variable values containing NUL values are not properly checked for. A malicious environment variable value can exploit this behavior to set a value for a different environment variable. For example, the environment variable string "A=B\x00C=D" sets the variables "A=B" and "C=D".

go1.10.3

Jun 6, 2018 GO-2022-0220GO-2022-0289GO-2022-0493GO-2022-1095

GO-2022-0220: Go on Windows misused certain LoadLibrary functionality, leading to DLL injection.

GO-2022-0289: When a Go program running on a Unix system is out of file descriptors and calls syscall.ForkExec (including indirectly by using the os/exec package), syscall.ForkExec can close file descriptor 0 as it fails. If this happens (or can be provoked) repeatedly, it can result in misdirected I/O such as writing network traffic intended for one connection to a different connection, or content intended for one file to a different one. For users who cannot immediately update to the new release, the bug can be mitigated by raising the per-process file descriptor limit.

GO-2022-0493: When called with a non-zero flags parameter, the Faccessat function can incorrectly report that a file is accessible.

GO-2022-1095: Due to unsanitized NUL values, attackers may be able to maliciously set environment variables on Windows. In syscall.StartProcess and os/exec.Cmd, invalid environment variable values containing NUL values are not properly checked for. A malicious environment variable value can exploit this behavior to set a value for a different environment variable. For example, the environment variable string "A=B\x00C=D" sets the variables "A=B" and "C=D".

go1.10.2

Apr 30, 2018 GO-2022-0220GO-2022-0289GO-2022-0493GO-2022-1095

GO-2022-0220: Go on Windows misused certain LoadLibrary functionality, leading to DLL injection.

GO-2022-0289: When a Go program running on a Unix system is out of file descriptors and calls syscall.ForkExec (including indirectly by using the os/exec package), syscall.ForkExec can close file descriptor 0 as it fails. If this happens (or can be provoked) repeatedly, it can result in misdirected I/O such as writing network traffic intended for one connection to a different connection, or content intended for one file to a different one. For users who cannot immediately update to the new release, the bug can be mitigated by raising the per-process file descriptor limit.

GO-2022-0493: When called with a non-zero flags parameter, the Faccessat function can incorrectly report that a file is accessible.

GO-2022-1095: Due to unsanitized NUL values, attackers may be able to maliciously set environment variables on Windows. In syscall.StartProcess and os/exec.Cmd, invalid environment variable values containing NUL values are not properly checked for. A malicious environment variable value can exploit this behavior to set a value for a different environment variable. For example, the environment variable string "A=B\x00C=D" sets the variables "A=B" and "C=D".

go1.10.1

Mar 29, 2018 GO-2022-0220GO-2022-0289GO-2022-0493GO-2022-1095

GO-2022-0220: Go on Windows misused certain LoadLibrary functionality, leading to DLL injection.

GO-2022-0289: When a Go program running on a Unix system is out of file descriptors and calls syscall.ForkExec (including indirectly by using the os/exec package), syscall.ForkExec can close file descriptor 0 as it fails. If this happens (or can be provoked) repeatedly, it can result in misdirected I/O such as writing network traffic intended for one connection to a different connection, or content intended for one file to a different one. For users who cannot immediately update to the new release, the bug can be mitigated by raising the per-process file descriptor limit.

GO-2022-0493: When called with a non-zero flags parameter, the Faccessat function can incorrectly report that a file is accessible.

GO-2022-1095: Due to unsanitized NUL values, attackers may be able to maliciously set environment variables on Windows. In syscall.StartProcess and os/exec.Cmd, invalid environment variable values containing NUL values are not properly checked for. A malicious environment variable value can exploit this behavior to set a value for a different environment variable. For example, the environment variable string "A=B\x00C=D" sets the variables "A=B" and "C=D".

go1.10

Feb 16, 2018 GO-2022-0220GO-2022-0289GO-2022-0493GO-2022-1095

GO-2022-0220: Go on Windows misused certain LoadLibrary functionality, leading to DLL injection.

GO-2022-0289: When a Go program running on a Unix system is out of file descriptors and calls syscall.ForkExec (including indirectly by using the os/exec package), syscall.ForkExec can close file descriptor 0 as it fails. If this happens (or can be provoked) repeatedly, it can result in misdirected I/O such as writing network traffic intended for one connection to a different connection, or content intended for one file to a different one. For users who cannot immediately update to the new release, the bug can be mitigated by raising the per-process file descriptor limit.

GO-2022-0493: When called with a non-zero flags parameter, the Faccessat function can incorrectly report that a file is accessible.

GO-2022-1095: Due to unsanitized NUL values, attackers may be able to maliciously set environment variables on Windows. In syscall.StartProcess and os/exec.Cmd, invalid environment variable values containing NUL values are not properly checked for. A malicious environment variable value can exploit this behavior to set a value for a different environment variable. For example, the environment variable string "A=B\x00C=D" sets the variables "A=B" and "C=D".

Changes in this version

+ func CreateProcessAsUser(token Token, appName *uint16, commandLine *uint16, ...) (err error) — windows/amd64

+ func Exit(code int) — js/wasm

type SysProcAttr — windows/amd64

+ Token Token

go1.10rc2

Feb 7, 2018 GO-2022-0220GO-2022-0289GO-2022-0493GO-2022-1095

GO-2022-0220: Go on Windows misused certain LoadLibrary functionality, leading to DLL injection.

GO-2022-0289: When a Go program running on a Unix system is out of file descriptors and calls syscall.ForkExec (including indirectly by using the os/exec package), syscall.ForkExec can close file descriptor 0 as it fails. If this happens (or can be provoked) repeatedly, it can result in misdirected I/O such as writing network traffic intended for one connection to a different connection, or content intended for one file to a different one. For users who cannot immediately update to the new release, the bug can be mitigated by raising the per-process file descriptor limit.

GO-2022-0493: When called with a non-zero flags parameter, the Faccessat function can incorrectly report that a file is accessible.

GO-2022-1095: Due to unsanitized NUL values, attackers may be able to maliciously set environment variables on Windows. In syscall.StartProcess and os/exec.Cmd, invalid environment variable values containing NUL values are not properly checked for. A malicious environment variable value can exploit this behavior to set a value for a different environment variable. For example, the environment variable string "A=B\x00C=D" sets the variables "A=B" and "C=D".

go1.10rc1

Jan 25, 2018 GO-2022-0220GO-2022-0289GO-2022-0493GO-2022-1095

GO-2022-0220: Go on Windows misused certain LoadLibrary functionality, leading to DLL injection.

GO-2022-0289: When a Go program running on a Unix system is out of file descriptors and calls syscall.ForkExec (including indirectly by using the os/exec package), syscall.ForkExec can close file descriptor 0 as it fails. If this happens (or can be provoked) repeatedly, it can result in misdirected I/O such as writing network traffic intended for one connection to a different connection, or content intended for one file to a different one. For users who cannot immediately update to the new release, the bug can be mitigated by raising the per-process file descriptor limit.

GO-2022-0493: When called with a non-zero flags parameter, the Faccessat function can incorrectly report that a file is accessible.

GO-2022-1095: Due to unsanitized NUL values, attackers may be able to maliciously set environment variables on Windows. In syscall.StartProcess and os/exec.Cmd, invalid environment variable values containing NUL values are not properly checked for. A malicious environment variable value can exploit this behavior to set a value for a different environment variable. For example, the environment variable string "A=B\x00C=D" sets the variables "A=B" and "C=D".

go1.10beta2

Jan 11, 2018 GO-2022-0220GO-2022-0289GO-2022-0493GO-2022-1095

GO-2022-0220: Go on Windows misused certain LoadLibrary functionality, leading to DLL injection.

GO-2022-0289: When a Go program running on a Unix system is out of file descriptors and calls syscall.ForkExec (including indirectly by using the os/exec package), syscall.ForkExec can close file descriptor 0 as it fails. If this happens (or can be provoked) repeatedly, it can result in misdirected I/O such as writing network traffic intended for one connection to a different connection, or content intended for one file to a different one. For users who cannot immediately update to the new release, the bug can be mitigated by raising the per-process file descriptor limit.

GO-2022-0493: When called with a non-zero flags parameter, the Faccessat function can incorrectly report that a file is accessible.

GO-2022-1095: Due to unsanitized NUL values, attackers may be able to maliciously set environment variables on Windows. In syscall.StartProcess and os/exec.Cmd, invalid environment variable values containing NUL values are not properly checked for. A malicious environment variable value can exploit this behavior to set a value for a different environment variable. For example, the environment variable string "A=B\x00C=D" sets the variables "A=B" and "C=D".

go1.10beta1

Dec 7, 2017 GO-2022-0220GO-2022-0289GO-2022-0493GO-2022-1095

GO-2022-0220: Go on Windows misused certain LoadLibrary functionality, leading to DLL injection.

GO-2022-0289: When a Go program running on a Unix system is out of file descriptors and calls syscall.ForkExec (including indirectly by using the os/exec package), syscall.ForkExec can close file descriptor 0 as it fails. If this happens (or can be provoked) repeatedly, it can result in misdirected I/O such as writing network traffic intended for one connection to a different connection, or content intended for one file to a different one. For users who cannot immediately update to the new release, the bug can be mitigated by raising the per-process file descriptor limit.

GO-2022-0493: When called with a non-zero flags parameter, the Faccessat function can incorrectly report that a file is accessible.

GO-2022-1095: Due to unsanitized NUL values, attackers may be able to maliciously set environment variables on Windows. In syscall.StartProcess and os/exec.Cmd, invalid environment variable values containing NUL values are not properly checked for. A malicious environment variable value can exploit this behavior to set a value for a different environment variable. For example, the environment variable string "A=B\x00C=D" sets the variables "A=B" and "C=D".

go1.9.7

Jun 6, 2018 GO-2022-0220GO-2022-0289GO-2022-0493GO-2022-1095

GO-2022-0220: Go on Windows misused certain LoadLibrary functionality, leading to DLL injection.

GO-2022-0289: When a Go program running on a Unix system is out of file descriptors and calls syscall.ForkExec (including indirectly by using the os/exec package), syscall.ForkExec can close file descriptor 0 as it fails. If this happens (or can be provoked) repeatedly, it can result in misdirected I/O such as writing network traffic intended for one connection to a different connection, or content intended for one file to a different one. For users who cannot immediately update to the new release, the bug can be mitigated by raising the per-process file descriptor limit.

GO-2022-0493: When called with a non-zero flags parameter, the Faccessat function can incorrectly report that a file is accessible.

GO-2022-1095: Due to unsanitized NUL values, attackers may be able to maliciously set environment variables on Windows. In syscall.StartProcess and os/exec.Cmd, invalid environment variable values containing NUL values are not properly checked for. A malicious environment variable value can exploit this behavior to set a value for a different environment variable. For example, the environment variable string "A=B\x00C=D" sets the variables "A=B" and "C=D".

go1.9.6

Apr 30, 2018 GO-2022-0220GO-2022-0289GO-2022-0493GO-2022-1095

GO-2022-0220: Go on Windows misused certain LoadLibrary functionality, leading to DLL injection.

GO-2022-0289: When a Go program running on a Unix system is out of file descriptors and calls syscall.ForkExec (including indirectly by using the os/exec package), syscall.ForkExec can close file descriptor 0 as it fails. If this happens (or can be provoked) repeatedly, it can result in misdirected I/O such as writing network traffic intended for one connection to a different connection, or content intended for one file to a different one. For users who cannot immediately update to the new release, the bug can be mitigated by raising the per-process file descriptor limit.

GO-2022-0493: When called with a non-zero flags parameter, the Faccessat function can incorrectly report that a file is accessible.

GO-2022-1095: Due to unsanitized NUL values, attackers may be able to maliciously set environment variables on Windows. In syscall.StartProcess and os/exec.Cmd, invalid environment variable values containing NUL values are not properly checked for. A malicious environment variable value can exploit this behavior to set a value for a different environment variable. For example, the environment variable string "A=B\x00C=D" sets the variables "A=B" and "C=D".

go1.9.5

Mar 29, 2018 GO-2022-0220GO-2022-0289GO-2022-0493GO-2022-1095

GO-2022-0220: Go on Windows misused certain LoadLibrary functionality, leading to DLL injection.

GO-2022-0289: When a Go program running on a Unix system is out of file descriptors and calls syscall.ForkExec (including indirectly by using the os/exec package), syscall.ForkExec can close file descriptor 0 as it fails. If this happens (or can be provoked) repeatedly, it can result in misdirected I/O such as writing network traffic intended for one connection to a different connection, or content intended for one file to a different one. For users who cannot immediately update to the new release, the bug can be mitigated by raising the per-process file descriptor limit.

GO-2022-0493: When called with a non-zero flags parameter, the Faccessat function can incorrectly report that a file is accessible.

GO-2022-1095: Due to unsanitized NUL values, attackers may be able to maliciously set environment variables on Windows. In syscall.StartProcess and os/exec.Cmd, invalid environment variable values containing NUL values are not properly checked for. A malicious environment variable value can exploit this behavior to set a value for a different environment variable. For example, the environment variable string "A=B\x00C=D" sets the variables "A=B" and "C=D".

go1.9.4

Feb 7, 2018 GO-2022-0220GO-2022-0289GO-2022-0493GO-2022-1095

GO-2022-0220: Go on Windows misused certain LoadLibrary functionality, leading to DLL injection.

GO-2022-0289: When a Go program running on a Unix system is out of file descriptors and calls syscall.ForkExec (including indirectly by using the os/exec package), syscall.ForkExec can close file descriptor 0 as it fails. If this happens (or can be provoked) repeatedly, it can result in misdirected I/O such as writing network traffic intended for one connection to a different connection, or content intended for one file to a different one. For users who cannot immediately update to the new release, the bug can be mitigated by raising the per-process file descriptor limit.

GO-2022-0493: When called with a non-zero flags parameter, the Faccessat function can incorrectly report that a file is accessible.

GO-2022-1095: Due to unsanitized NUL values, attackers may be able to maliciously set environment variables on Windows. In syscall.StartProcess and os/exec.Cmd, invalid environment variable values containing NUL values are not properly checked for. A malicious environment variable value can exploit this behavior to set a value for a different environment variable. For example, the environment variable string "A=B\x00C=D" sets the variables "A=B" and "C=D".

go1.9.3

Jan 22, 2018 GO-2022-0220GO-2022-0289GO-2022-0493GO-2022-1095

GO-2022-0220: Go on Windows misused certain LoadLibrary functionality, leading to DLL injection.

GO-2022-0289: When a Go program running on a Unix system is out of file descriptors and calls syscall.ForkExec (including indirectly by using the os/exec package), syscall.ForkExec can close file descriptor 0 as it fails. If this happens (or can be provoked) repeatedly, it can result in misdirected I/O such as writing network traffic intended for one connection to a different connection, or content intended for one file to a different one. For users who cannot immediately update to the new release, the bug can be mitigated by raising the per-process file descriptor limit.

GO-2022-0493: When called with a non-zero flags parameter, the Faccessat function can incorrectly report that a file is accessible.

GO-2022-1095: Due to unsanitized NUL values, attackers may be able to maliciously set environment variables on Windows. In syscall.StartProcess and os/exec.Cmd, invalid environment variable values containing NUL values are not properly checked for. A malicious environment variable value can exploit this behavior to set a value for a different environment variable. For example, the environment variable string "A=B\x00C=D" sets the variables "A=B" and "C=D".

go1.9.2

Oct 25, 2017 GO-2022-0220GO-2022-0289GO-2022-0493GO-2022-1095

GO-2022-0220: Go on Windows misused certain LoadLibrary functionality, leading to DLL injection.

GO-2022-0289: When a Go program running on a Unix system is out of file descriptors and calls syscall.ForkExec (including indirectly by using the os/exec package), syscall.ForkExec can close file descriptor 0 as it fails. If this happens (or can be provoked) repeatedly, it can result in misdirected I/O such as writing network traffic intended for one connection to a different connection, or content intended for one file to a different one. For users who cannot immediately update to the new release, the bug can be mitigated by raising the per-process file descriptor limit.

GO-2022-0493: When called with a non-zero flags parameter, the Faccessat function can incorrectly report that a file is accessible.

GO-2022-1095: Due to unsanitized NUL values, attackers may be able to maliciously set environment variables on Windows. In syscall.StartProcess and os/exec.Cmd, invalid environment variable values containing NUL values are not properly checked for. A malicious environment variable value can exploit this behavior to set a value for a different environment variable. For example, the environment variable string "A=B\x00C=D" sets the variables "A=B" and "C=D".

go1.9.1

Oct 4, 2017 GO-2022-0220GO-2022-0289GO-2022-0493GO-2022-1095

GO-2022-0220: Go on Windows misused certain LoadLibrary functionality, leading to DLL injection.

GO-2022-0289: When a Go program running on a Unix system is out of file descriptors and calls syscall.ForkExec (including indirectly by using the os/exec package), syscall.ForkExec can close file descriptor 0 as it fails. If this happens (or can be provoked) repeatedly, it can result in misdirected I/O such as writing network traffic intended for one connection to a different connection, or content intended for one file to a different one. For users who cannot immediately update to the new release, the bug can be mitigated by raising the per-process file descriptor limit.

GO-2022-0493: When called with a non-zero flags parameter, the Faccessat function can incorrectly report that a file is accessible.

GO-2022-1095: Due to unsanitized NUL values, attackers may be able to maliciously set environment variables on Windows. In syscall.StartProcess and os/exec.Cmd, invalid environment variable values containing NUL values are not properly checked for. A malicious environment variable value can exploit this behavior to set a value for a different environment variable. For example, the environment variable string "A=B\x00C=D" sets the variables "A=B" and "C=D".

go1.9

Aug 24, 2017 GO-2022-0220GO-2022-0289GO-2022-0493GO-2022-1095

GO-2022-0220: Go on Windows misused certain LoadLibrary functionality, leading to DLL injection.

GO-2022-0289: When a Go program running on a Unix system is out of file descriptors and calls syscall.ForkExec (including indirectly by using the os/exec package), syscall.ForkExec can close file descriptor 0 as it fails. If this happens (or can be provoked) repeatedly, it can result in misdirected I/O such as writing network traffic intended for one connection to a different connection, or content intended for one file to a different one. For users who cannot immediately update to the new release, the bug can be mitigated by raising the per-process file descriptor limit.

GO-2022-0493: When called with a non-zero flags parameter, the Faccessat function can incorrectly report that a file is accessible.

GO-2022-1095: Due to unsanitized NUL values, attackers may be able to maliciously set environment variables on Windows. In syscall.StartProcess and os/exec.Cmd, invalid environment variable values containing NUL values are not properly checked for. A malicious environment variable value can exploit this behavior to set a value for a different environment variable. For example, the environment variable string "A=B\x00C=D" sets the variables "A=B" and "C=D".

Changes in this version

+ type Conn interface

+ SyscallConn func() (RawConn, error)

type Credential — darwin/amd64, linux/amd64

+ NoSetGroups bool

type Errno — windows/amd64

+ const WSAECONNABORTED

+ type RawConn interface

+ Control func(f func(fd uintptr)) error

+ Read func(f func(fd uintptr) (done bool)) error

+ Write func(f func(fd uintptr) (done bool)) error

type SysProcAttr — linux/amd64

+ AmbientCaps []uintptr

go1.9rc2

Aug 7, 2017 GO-2022-0220GO-2022-0289GO-2022-0493GO-2022-1095

GO-2022-0220: Go on Windows misused certain LoadLibrary functionality, leading to DLL injection.

GO-2022-0289: When a Go program running on a Unix system is out of file descriptors and calls syscall.ForkExec (including indirectly by using the os/exec package), syscall.ForkExec can close file descriptor 0 as it fails. If this happens (or can be provoked) repeatedly, it can result in misdirected I/O such as writing network traffic intended for one connection to a different connection, or content intended for one file to a different one. For users who cannot immediately update to the new release, the bug can be mitigated by raising the per-process file descriptor limit.

GO-2022-0493: When called with a non-zero flags parameter, the Faccessat function can incorrectly report that a file is accessible.

GO-2022-1095: Due to unsanitized NUL values, attackers may be able to maliciously set environment variables on Windows. In syscall.StartProcess and os/exec.Cmd, invalid environment variable values containing NUL values are not properly checked for. A malicious environment variable value can exploit this behavior to set a value for a different environment variable. For example, the environment variable string "A=B\x00C=D" sets the variables "A=B" and "C=D".

go1.9rc1

Jul 24, 2017 GO-2022-0220GO-2022-0289GO-2022-0493GO-2022-1095

GO-2022-0220: Go on Windows misused certain LoadLibrary functionality, leading to DLL injection.

GO-2022-0289: When a Go program running on a Unix system is out of file descriptors and calls syscall.ForkExec (including indirectly by using the os/exec package), syscall.ForkExec can close file descriptor 0 as it fails. If this happens (or can be provoked) repeatedly, it can result in misdirected I/O such as writing network traffic intended for one connection to a different connection, or content intended for one file to a different one. For users who cannot immediately update to the new release, the bug can be mitigated by raising the per-process file descriptor limit.

GO-2022-0493: When called with a non-zero flags parameter, the Faccessat function can incorrectly report that a file is accessible.

GO-2022-1095: Due to unsanitized NUL values, attackers may be able to maliciously set environment variables on Windows. In syscall.StartProcess and os/exec.Cmd, invalid environment variable values containing NUL values are not properly checked for. A malicious environment variable value can exploit this behavior to set a value for a different environment variable. For example, the environment variable string "A=B\x00C=D" sets the variables "A=B" and "C=D".

go1.9beta2

Jun 26, 2017 GO-2022-0220GO-2022-0289GO-2022-0493GO-2022-1095

GO-2022-0220: Go on Windows misused certain LoadLibrary functionality, leading to DLL injection.

GO-2022-0289: When a Go program running on a Unix system is out of file descriptors and calls syscall.ForkExec (including indirectly by using the os/exec package), syscall.ForkExec can close file descriptor 0 as it fails. If this happens (or can be provoked) repeatedly, it can result in misdirected I/O such as writing network traffic intended for one connection to a different connection, or content intended for one file to a different one. For users who cannot immediately update to the new release, the bug can be mitigated by raising the per-process file descriptor limit.

GO-2022-0493: When called with a non-zero flags parameter, the Faccessat function can incorrectly report that a file is accessible.

GO-2022-1095: Due to unsanitized NUL values, attackers may be able to maliciously set environment variables on Windows. In syscall.StartProcess and os/exec.Cmd, invalid environment variable values containing NUL values are not properly checked for. A malicious environment variable value can exploit this behavior to set a value for a different environment variable. For example, the environment variable string "A=B\x00C=D" sets the variables "A=B" and "C=D".

go1.9beta1

Jun 14, 2017 GO-2022-0220GO-2022-0289GO-2022-0493GO-2022-1095

GO-2022-0220: Go on Windows misused certain LoadLibrary functionality, leading to DLL injection.

GO-2022-0289: When a Go program running on a Unix system is out of file descriptors and calls syscall.ForkExec (including indirectly by using the os/exec package), syscall.ForkExec can close file descriptor 0 as it fails. If this happens (or can be provoked) repeatedly, it can result in misdirected I/O such as writing network traffic intended for one connection to a different connection, or content intended for one file to a different one. For users who cannot immediately update to the new release, the bug can be mitigated by raising the per-process file descriptor limit.

GO-2022-0493: When called with a non-zero flags parameter, the Faccessat function can incorrectly report that a file is accessible.

GO-2022-1095: Due to unsanitized NUL values, attackers may be able to maliciously set environment variables on Windows. In syscall.StartProcess and os/exec.Cmd, invalid environment variable values containing NUL values are not properly checked for. A malicious environment variable value can exploit this behavior to set a value for a different environment variable. For example, the environment variable string "A=B\x00C=D" sets the variables "A=B" and "C=D".

go1.8.7

Feb 7, 2018 GO-2022-0220GO-2022-0289GO-2022-0493GO-2022-1095

GO-2022-0220: Go on Windows misused certain LoadLibrary functionality, leading to DLL injection.

GO-2022-0289: When a Go program running on a Unix system is out of file descriptors and calls syscall.ForkExec (including indirectly by using the os/exec package), syscall.ForkExec can close file descriptor 0 as it fails. If this happens (or can be provoked) repeatedly, it can result in misdirected I/O such as writing network traffic intended for one connection to a different connection, or content intended for one file to a different one. For users who cannot immediately update to the new release, the bug can be mitigated by raising the per-process file descriptor limit.

GO-2022-0493: When called with a non-zero flags parameter, the Faccessat function can incorrectly report that a file is accessible.

GO-2022-1095: Due to unsanitized NUL values, attackers may be able to maliciously set environment variables on Windows. In syscall.StartProcess and os/exec.Cmd, invalid environment variable values containing NUL values are not properly checked for. A malicious environment variable value can exploit this behavior to set a value for a different environment variable. For example, the environment variable string "A=B\x00C=D" sets the variables "A=B" and "C=D".

go1.8.6

Jan 23, 2018 GO-2022-0220GO-2022-0289GO-2022-0493GO-2022-1095

GO-2022-0220: Go on Windows misused certain LoadLibrary functionality, leading to DLL injection.

GO-2022-0289: When a Go program running on a Unix system is out of file descriptors and calls syscall.ForkExec (including indirectly by using the os/exec package), syscall.ForkExec can close file descriptor 0 as it fails. If this happens (or can be provoked) repeatedly, it can result in misdirected I/O such as writing network traffic intended for one connection to a different connection, or content intended for one file to a different one. For users who cannot immediately update to the new release, the bug can be mitigated by raising the per-process file descriptor limit.

GO-2022-0493: When called with a non-zero flags parameter, the Faccessat function can incorrectly report that a file is accessible.

GO-2022-1095: Due to unsanitized NUL values, attackers may be able to maliciously set environment variables on Windows. In syscall.StartProcess and os/exec.Cmd, invalid environment variable values containing NUL values are not properly checked for. A malicious environment variable value can exploit this behavior to set a value for a different environment variable. For example, the environment variable string "A=B\x00C=D" sets the variables "A=B" and "C=D".

go1.8.5

Oct 25, 2017 GO-2022-0220GO-2022-0289GO-2022-0493GO-2022-1095

GO-2022-0220: Go on Windows misused certain LoadLibrary functionality, leading to DLL injection.

GO-2022-0289: When a Go program running on a Unix system is out of file descriptors and calls syscall.ForkExec (including indirectly by using the os/exec package), syscall.ForkExec can close file descriptor 0 as it fails. If this happens (or can be provoked) repeatedly, it can result in misdirected I/O such as writing network traffic intended for one connection to a different connection, or content intended for one file to a different one. For users who cannot immediately update to the new release, the bug can be mitigated by raising the per-process file descriptor limit.

GO-2022-0493: When called with a non-zero flags parameter, the Faccessat function can incorrectly report that a file is accessible.

GO-2022-1095: Due to unsanitized NUL values, attackers may be able to maliciously set environment variables on Windows. In syscall.StartProcess and os/exec.Cmd, invalid environment variable values containing NUL values are not properly checked for. A malicious environment variable value can exploit this behavior to set a value for a different environment variable. For example, the environment variable string "A=B\x00C=D" sets the variables "A=B" and "C=D".

go1.8.5rc5

Oct 25, 2017 GO-2022-0220GO-2022-0289GO-2022-0493GO-2022-1095

GO-2022-0220: Go on Windows misused certain LoadLibrary functionality, leading to DLL injection.

GO-2022-0289: When a Go program running on a Unix system is out of file descriptors and calls syscall.ForkExec (including indirectly by using the os/exec package), syscall.ForkExec can close file descriptor 0 as it fails. If this happens (or can be provoked) repeatedly, it can result in misdirected I/O such as writing network traffic intended for one connection to a different connection, or content intended for one file to a different one. For users who cannot immediately update to the new release, the bug can be mitigated by raising the per-process file descriptor limit.

GO-2022-0493: When called with a non-zero flags parameter, the Faccessat function can incorrectly report that a file is accessible.

GO-2022-1095: Due to unsanitized NUL values, attackers may be able to maliciously set environment variables on Windows. In syscall.StartProcess and os/exec.Cmd, invalid environment variable values containing NUL values are not properly checked for. A malicious environment variable value can exploit this behavior to set a value for a different environment variable. For example, the environment variable string "A=B\x00C=D" sets the variables "A=B" and "C=D".

go1.8.5rc4

Oct 20, 2017 GO-2022-0220GO-2022-0289GO-2022-0493GO-2022-1095

GO-2022-0220: Go on Windows misused certain LoadLibrary functionality, leading to DLL injection.

GO-2022-0289: When a Go program running on a Unix system is out of file descriptors and calls syscall.ForkExec (including indirectly by using the os/exec package), syscall.ForkExec can close file descriptor 0 as it fails. If this happens (or can be provoked) repeatedly, it can result in misdirected I/O such as writing network traffic intended for one connection to a different connection, or content intended for one file to a different one. For users who cannot immediately update to the new release, the bug can be mitigated by raising the per-process file descriptor limit.

GO-2022-0493: When called with a non-zero flags parameter, the Faccessat function can incorrectly report that a file is accessible.

GO-2022-1095: Due to unsanitized NUL values, attackers may be able to maliciously set environment variables on Windows. In syscall.StartProcess and os/exec.Cmd, invalid environment variable values containing NUL values are not properly checked for. A malicious environment variable value can exploit this behavior to set a value for a different environment variable. For example, the environment variable string "A=B\x00C=D" sets the variables "A=B" and "C=D".

go1.8.4

Oct 4, 2017 GO-2022-0220GO-2022-0289GO-2022-0493GO-2022-1095

GO-2022-0220: Go on Windows misused certain LoadLibrary functionality, leading to DLL injection.

GO-2022-0289: When a Go program running on a Unix system is out of file descriptors and calls syscall.ForkExec (including indirectly by using the os/exec package), syscall.ForkExec can close file descriptor 0 as it fails. If this happens (or can be provoked) repeatedly, it can result in misdirected I/O such as writing network traffic intended for one connection to a different connection, or content intended for one file to a different one. For users who cannot immediately update to the new release, the bug can be mitigated by raising the per-process file descriptor limit.

GO-2022-0493: When called with a non-zero flags parameter, the Faccessat function can incorrectly report that a file is accessible.

GO-2022-1095: Due to unsanitized NUL values, attackers may be able to maliciously set environment variables on Windows. In syscall.StartProcess and os/exec.Cmd, invalid environment variable values containing NUL values are not properly checked for. A malicious environment variable value can exploit this behavior to set a value for a different environment variable. For example, the environment variable string "A=B\x00C=D" sets the variables "A=B" and "C=D".

go1.8.3

May 24, 2017 GO-2022-0220GO-2022-0289GO-2022-0493GO-2022-1095

GO-2022-0220: Go on Windows misused certain LoadLibrary functionality, leading to DLL injection.

GO-2022-0289: When a Go program running on a Unix system is out of file descriptors and calls syscall.ForkExec (including indirectly by using the os/exec package), syscall.ForkExec can close file descriptor 0 as it fails. If this happens (or can be provoked) repeatedly, it can result in misdirected I/O such as writing network traffic intended for one connection to a different connection, or content intended for one file to a different one. For users who cannot immediately update to the new release, the bug can be mitigated by raising the per-process file descriptor limit.

GO-2022-0493: When called with a non-zero flags parameter, the Faccessat function can incorrectly report that a file is accessible.

GO-2022-1095: Due to unsanitized NUL values, attackers may be able to maliciously set environment variables on Windows. In syscall.StartProcess and os/exec.Cmd, invalid environment variable values containing NUL values are not properly checked for. A malicious environment variable value can exploit this behavior to set a value for a different environment variable. For example, the environment variable string "A=B\x00C=D" sets the variables "A=B" and "C=D".

go1.8.2

May 23, 2017 GO-2022-0220GO-2022-0289GO-2022-0493GO-2022-1095

GO-2022-0220: Go on Windows misused certain LoadLibrary functionality, leading to DLL injection.

GO-2022-0289: When a Go program running on a Unix system is out of file descriptors and calls syscall.ForkExec (including indirectly by using the os/exec package), syscall.ForkExec can close file descriptor 0 as it fails. If this happens (or can be provoked) repeatedly, it can result in misdirected I/O such as writing network traffic intended for one connection to a different connection, or content intended for one file to a different one. For users who cannot immediately update to the new release, the bug can be mitigated by raising the per-process file descriptor limit.

GO-2022-0493: When called with a non-zero flags parameter, the Faccessat function can incorrectly report that a file is accessible.

GO-2022-1095: Due to unsanitized NUL values, attackers may be able to maliciously set environment variables on Windows. In syscall.StartProcess and os/exec.Cmd, invalid environment variable values containing NUL values are not properly checked for. A malicious environment variable value can exploit this behavior to set a value for a different environment variable. For example, the environment variable string "A=B\x00C=D" sets the variables "A=B" and "C=D".

go1.8.1

Apr 7, 2017 GO-2022-0220GO-2022-0289GO-2022-0493GO-2022-1095

GO-2022-0220: Go on Windows misused certain LoadLibrary functionality, leading to DLL injection.

GO-2022-0289: When a Go program running on a Unix system is out of file descriptors and calls syscall.ForkExec (including indirectly by using the os/exec package), syscall.ForkExec can close file descriptor 0 as it fails. If this happens (or can be provoked) repeatedly, it can result in misdirected I/O such as writing network traffic intended for one connection to a different connection, or content intended for one file to a different one. For users who cannot immediately update to the new release, the bug can be mitigated by raising the per-process file descriptor limit.

GO-2022-0493: When called with a non-zero flags parameter, the Faccessat function can incorrectly report that a file is accessible.

GO-2022-1095: Due to unsanitized NUL values, attackers may be able to maliciously set environment variables on Windows. In syscall.StartProcess and os/exec.Cmd, invalid environment variable values containing NUL values are not properly checked for. A malicious environment variable value can exploit this behavior to set a value for a different environment variable. For example, the environment variable string "A=B\x00C=D" sets the variables "A=B" and "C=D".

go1.8

Feb 16, 2017 GO-2022-0220GO-2022-0289GO-2022-0493GO-2022-1095

GO-2022-0220: Go on Windows misused certain LoadLibrary functionality, leading to DLL injection.

GO-2022-0289: When a Go program running on a Unix system is out of file descriptors and calls syscall.ForkExec (including indirectly by using the os/exec package), syscall.ForkExec can close file descriptor 0 as it fails. If this happens (or can be provoked) repeatedly, it can result in misdirected I/O such as writing network traffic intended for one connection to a different connection, or content intended for one file to a different one. For users who cannot immediately update to the new release, the bug can be mitigated by raising the per-process file descriptor limit.

GO-2022-0493: When called with a non-zero flags parameter, the Faccessat function can incorrectly report that a file is accessible.

GO-2022-1095: Due to unsanitized NUL values, attackers may be able to maliciously set environment variables on Windows. In syscall.StartProcess and os/exec.Cmd, invalid environment variable values containing NUL values are not properly checked for. A malicious environment variable value can exploit this behavior to set a value for a different environment variable. For example, the environment variable string "A=B\x00C=D" sets the variables "A=B" and "C=D".

Changes in this version

+ func Getpagesize() int — js/wasm

type Errno — windows/amd64

+ const ERROR_DIR_NOT_EMPTY

go1.8rc3

Jan 26, 2017 GO-2022-0220GO-2022-0289GO-2022-0493GO-2022-1095

GO-2022-0220: Go on Windows misused certain LoadLibrary functionality, leading to DLL injection.

GO-2022-0289: When a Go program running on a Unix system is out of file descriptors and calls syscall.ForkExec (including indirectly by using the os/exec package), syscall.ForkExec can close file descriptor 0 as it fails. If this happens (or can be provoked) repeatedly, it can result in misdirected I/O such as writing network traffic intended for one connection to a different connection, or content intended for one file to a different one. For users who cannot immediately update to the new release, the bug can be mitigated by raising the per-process file descriptor limit.

GO-2022-0493: When called with a non-zero flags parameter, the Faccessat function can incorrectly report that a file is accessible.

GO-2022-1095: Due to unsanitized NUL values, attackers may be able to maliciously set environment variables on Windows. In syscall.StartProcess and os/exec.Cmd, invalid environment variable values containing NUL values are not properly checked for. A malicious environment variable value can exploit this behavior to set a value for a different environment variable. For example, the environment variable string "A=B\x00C=D" sets the variables "A=B" and "C=D".

go1.8rc2

Jan 19, 2017 GO-2022-0220GO-2022-0289GO-2022-0493GO-2022-1095

GO-2022-0220: Go on Windows misused certain LoadLibrary functionality, leading to DLL injection.

GO-2022-0289: When a Go program running on a Unix system is out of file descriptors and calls syscall.ForkExec (including indirectly by using the os/exec package), syscall.ForkExec can close file descriptor 0 as it fails. If this happens (or can be provoked) repeatedly, it can result in misdirected I/O such as writing network traffic intended for one connection to a different connection, or content intended for one file to a different one. For users who cannot immediately update to the new release, the bug can be mitigated by raising the per-process file descriptor limit.

GO-2022-0493: When called with a non-zero flags parameter, the Faccessat function can incorrectly report that a file is accessible.

GO-2022-1095: Due to unsanitized NUL values, attackers may be able to maliciously set environment variables on Windows. In syscall.StartProcess and os/exec.Cmd, invalid environment variable values containing NUL values are not properly checked for. A malicious environment variable value can exploit this behavior to set a value for a different environment variable. For example, the environment variable string "A=B\x00C=D" sets the variables "A=B" and "C=D".

go1.8rc1

Jan 10, 2017 GO-2022-0220GO-2022-0289GO-2022-0493GO-2022-1095

GO-2022-0220: Go on Windows misused certain LoadLibrary functionality, leading to DLL injection.

GO-2022-0289: When a Go program running on a Unix system is out of file descriptors and calls syscall.ForkExec (including indirectly by using the os/exec package), syscall.ForkExec can close file descriptor 0 as it fails. If this happens (or can be provoked) repeatedly, it can result in misdirected I/O such as writing network traffic intended for one connection to a different connection, or content intended for one file to a different one. For users who cannot immediately update to the new release, the bug can be mitigated by raising the per-process file descriptor limit.

GO-2022-0493: When called with a non-zero flags parameter, the Faccessat function can incorrectly report that a file is accessible.

GO-2022-1095: Due to unsanitized NUL values, attackers may be able to maliciously set environment variables on Windows. In syscall.StartProcess and os/exec.Cmd, invalid environment variable values containing NUL values are not properly checked for. A malicious environment variable value can exploit this behavior to set a value for a different environment variable. For example, the environment variable string "A=B\x00C=D" sets the variables "A=B" and "C=D".

go1.8beta2

Dec 15, 2016 GO-2022-0220GO-2022-0289GO-2022-0493GO-2022-1095

GO-2022-0220: Go on Windows misused certain LoadLibrary functionality, leading to DLL injection.

GO-2022-0289: When a Go program running on a Unix system is out of file descriptors and calls syscall.ForkExec (including indirectly by using the os/exec package), syscall.ForkExec can close file descriptor 0 as it fails. If this happens (or can be provoked) repeatedly, it can result in misdirected I/O such as writing network traffic intended for one connection to a different connection, or content intended for one file to a different one. For users who cannot immediately update to the new release, the bug can be mitigated by raising the per-process file descriptor limit.

GO-2022-0493: When called with a non-zero flags parameter, the Faccessat function can incorrectly report that a file is accessible.

GO-2022-1095: Due to unsanitized NUL values, attackers may be able to maliciously set environment variables on Windows. In syscall.StartProcess and os/exec.Cmd, invalid environment variable values containing NUL values are not properly checked for. A malicious environment variable value can exploit this behavior to set a value for a different environment variable. For example, the environment variable string "A=B\x00C=D" sets the variables "A=B" and "C=D".

go1.8beta1

Dec 1, 2016 GO-2022-0220GO-2022-0289GO-2022-0493GO-2022-1095

GO-2022-0220: Go on Windows misused certain LoadLibrary functionality, leading to DLL injection.

GO-2022-0289: When a Go program running on a Unix system is out of file descriptors and calls syscall.ForkExec (including indirectly by using the os/exec package), syscall.ForkExec can close file descriptor 0 as it fails. If this happens (or can be provoked) repeatedly, it can result in misdirected I/O such as writing network traffic intended for one connection to a different connection, or content intended for one file to a different one. For users who cannot immediately update to the new release, the bug can be mitigated by raising the per-process file descriptor limit.

GO-2022-0493: When called with a non-zero flags parameter, the Faccessat function can incorrectly report that a file is accessible.

GO-2022-1095: Due to unsanitized NUL values, attackers may be able to maliciously set environment variables on Windows. In syscall.StartProcess and os/exec.Cmd, invalid environment variable values containing NUL values are not properly checked for. A malicious environment variable value can exploit this behavior to set a value for a different environment variable. For example, the environment variable string "A=B\x00C=D" sets the variables "A=B" and "C=D".

go1.7.6

May 23, 2017 GO-2022-0220GO-2022-0289GO-2022-0493GO-2022-1095

GO-2022-0220: Go on Windows misused certain LoadLibrary functionality, leading to DLL injection.

GO-2022-0289: When a Go program running on a Unix system is out of file descriptors and calls syscall.ForkExec (including indirectly by using the os/exec package), syscall.ForkExec can close file descriptor 0 as it fails. If this happens (or can be provoked) repeatedly, it can result in misdirected I/O such as writing network traffic intended for one connection to a different connection, or content intended for one file to a different one. For users who cannot immediately update to the new release, the bug can be mitigated by raising the per-process file descriptor limit.

GO-2022-0493: When called with a non-zero flags parameter, the Faccessat function can incorrectly report that a file is accessible.

GO-2022-1095: Due to unsanitized NUL values, attackers may be able to maliciously set environment variables on Windows. In syscall.StartProcess and os/exec.Cmd, invalid environment variable values containing NUL values are not properly checked for. A malicious environment variable value can exploit this behavior to set a value for a different environment variable. For example, the environment variable string "A=B\x00C=D" sets the variables "A=B" and "C=D".

go1.7.5

Jan 26, 2017 GO-2022-0220GO-2022-0289GO-2022-0493GO-2022-1095

GO-2022-0220: Go on Windows misused certain LoadLibrary functionality, leading to DLL injection.

GO-2022-0289: When a Go program running on a Unix system is out of file descriptors and calls syscall.ForkExec (including indirectly by using the os/exec package), syscall.ForkExec can close file descriptor 0 as it fails. If this happens (or can be provoked) repeatedly, it can result in misdirected I/O such as writing network traffic intended for one connection to a different connection, or content intended for one file to a different one. For users who cannot immediately update to the new release, the bug can be mitigated by raising the per-process file descriptor limit.

GO-2022-0493: When called with a non-zero flags parameter, the Faccessat function can incorrectly report that a file is accessible.

GO-2022-1095: Due to unsanitized NUL values, attackers may be able to maliciously set environment variables on Windows. In syscall.StartProcess and os/exec.Cmd, invalid environment variable values containing NUL values are not properly checked for. A malicious environment variable value can exploit this behavior to set a value for a different environment variable. For example, the environment variable string "A=B\x00C=D" sets the variables "A=B" and "C=D".

go1.7.4

Dec 1, 2016 GO-2022-0220GO-2022-0289GO-2022-0493GO-2022-1095

GO-2022-0220: Go on Windows misused certain LoadLibrary functionality, leading to DLL injection.

GO-2022-0289: When a Go program running on a Unix system is out of file descriptors and calls syscall.ForkExec (including indirectly by using the os/exec package), syscall.ForkExec can close file descriptor 0 as it fails. If this happens (or can be provoked) repeatedly, it can result in misdirected I/O such as writing network traffic intended for one connection to a different connection, or content intended for one file to a different one. For users who cannot immediately update to the new release, the bug can be mitigated by raising the per-process file descriptor limit.

GO-2022-0493: When called with a non-zero flags parameter, the Faccessat function can incorrectly report that a file is accessible.

GO-2022-1095: Due to unsanitized NUL values, attackers may be able to maliciously set environment variables on Windows. In syscall.StartProcess and os/exec.Cmd, invalid environment variable values containing NUL values are not properly checked for. A malicious environment variable value can exploit this behavior to set a value for a different environment variable. For example, the environment variable string "A=B\x00C=D" sets the variables "A=B" and "C=D".

go1.7.3

Oct 19, 2016 GO-2022-0220GO-2022-0289GO-2022-0493GO-2022-1095

GO-2022-0220: Go on Windows misused certain LoadLibrary functionality, leading to DLL injection.

GO-2022-0289: When a Go program running on a Unix system is out of file descriptors and calls syscall.ForkExec (including indirectly by using the os/exec package), syscall.ForkExec can close file descriptor 0 as it fails. If this happens (or can be provoked) repeatedly, it can result in misdirected I/O such as writing network traffic intended for one connection to a different connection, or content intended for one file to a different one. For users who cannot immediately update to the new release, the bug can be mitigated by raising the per-process file descriptor limit.

GO-2022-0493: When called with a non-zero flags parameter, the Faccessat function can incorrectly report that a file is accessible.

GO-2022-1095: Due to unsanitized NUL values, attackers may be able to maliciously set environment variables on Windows. In syscall.StartProcess and os/exec.Cmd, invalid environment variable values containing NUL values are not properly checked for. A malicious environment variable value can exploit this behavior to set a value for a different environment variable. For example, the environment variable string "A=B\x00C=D" sets the variables "A=B" and "C=D".

go1.7.2

Oct 17, 2016 GO-2022-0220GO-2022-0289GO-2022-0493GO-2022-1095

GO-2022-0220: Go on Windows misused certain LoadLibrary functionality, leading to DLL injection.

GO-2022-0289: When a Go program running on a Unix system is out of file descriptors and calls syscall.ForkExec (including indirectly by using the os/exec package), syscall.ForkExec can close file descriptor 0 as it fails. If this happens (or can be provoked) repeatedly, it can result in misdirected I/O such as writing network traffic intended for one connection to a different connection, or content intended for one file to a different one. For users who cannot immediately update to the new release, the bug can be mitigated by raising the per-process file descriptor limit.

GO-2022-0493: When called with a non-zero flags parameter, the Faccessat function can incorrectly report that a file is accessible.

GO-2022-1095: Due to unsanitized NUL values, attackers may be able to maliciously set environment variables on Windows. In syscall.StartProcess and os/exec.Cmd, invalid environment variable values containing NUL values are not properly checked for. A malicious environment variable value can exploit this behavior to set a value for a different environment variable. For example, the environment variable string "A=B\x00C=D" sets the variables "A=B" and "C=D".

go1.7.1

Sep 7, 2016 GO-2022-0220GO-2022-0289GO-2022-0493GO-2022-1095

GO-2022-0220: Go on Windows misused certain LoadLibrary functionality, leading to DLL injection.

GO-2022-0289: When a Go program running on a Unix system is out of file descriptors and calls syscall.ForkExec (including indirectly by using the os/exec package), syscall.ForkExec can close file descriptor 0 as it fails. If this happens (or can be provoked) repeatedly, it can result in misdirected I/O such as writing network traffic intended for one connection to a different connection, or content intended for one file to a different one. For users who cannot immediately update to the new release, the bug can be mitigated by raising the per-process file descriptor limit.

GO-2022-0493: When called with a non-zero flags parameter, the Faccessat function can incorrectly report that a file is accessible.

GO-2022-1095: Due to unsanitized NUL values, attackers may be able to maliciously set environment variables on Windows. In syscall.StartProcess and os/exec.Cmd, invalid environment variable values containing NUL values are not properly checked for. A malicious environment variable value can exploit this behavior to set a value for a different environment variable. For example, the environment variable string "A=B\x00C=D" sets the variables "A=B" and "C=D".

go1.7

Aug 15, 2016 GO-2022-0220GO-2022-0289GO-2022-0493GO-2022-1095

GO-2022-0220: Go on Windows misused certain LoadLibrary functionality, leading to DLL injection.

GO-2022-0289: When a Go program running on a Unix system is out of file descriptors and calls syscall.ForkExec (including indirectly by using the os/exec package), syscall.ForkExec can close file descriptor 0 as it fails. If this happens (or can be provoked) repeatedly, it can result in misdirected I/O such as writing network traffic intended for one connection to a different connection, or content intended for one file to a different one. For users who cannot immediately update to the new release, the bug can be mitigated by raising the per-process file descriptor limit.

GO-2022-0493: When called with a non-zero flags parameter, the Faccessat function can incorrectly report that a file is accessible.

GO-2022-1095: Due to unsanitized NUL values, attackers may be able to maliciously set environment variables on Windows. In syscall.StartProcess and os/exec.Cmd, invalid environment variable values containing NUL values are not properly checked for. A malicious environment variable value can exploit this behavior to set a value for a different environment variable. For example, the environment variable string "A=B\x00C=D" sets the variables "A=B" and "C=D".

Changes in this version

type SysProcAttr — linux/amd64

+ Unshareflags uintptr

go1.7rc6

Aug 8, 2016 GO-2022-0220GO-2022-0289GO-2022-0493GO-2022-1095

GO-2022-0220: Go on Windows misused certain LoadLibrary functionality, leading to DLL injection.

GO-2022-0289: When a Go program running on a Unix system is out of file descriptors and calls syscall.ForkExec (including indirectly by using the os/exec package), syscall.ForkExec can close file descriptor 0 as it fails. If this happens (or can be provoked) repeatedly, it can result in misdirected I/O such as writing network traffic intended for one connection to a different connection, or content intended for one file to a different one. For users who cannot immediately update to the new release, the bug can be mitigated by raising the per-process file descriptor limit.

GO-2022-0493: When called with a non-zero flags parameter, the Faccessat function can incorrectly report that a file is accessible.

GO-2022-1095: Due to unsanitized NUL values, attackers may be able to maliciously set environment variables on Windows. In syscall.StartProcess and os/exec.Cmd, invalid environment variable values containing NUL values are not properly checked for. A malicious environment variable value can exploit this behavior to set a value for a different environment variable. For example, the environment variable string "A=B\x00C=D" sets the variables "A=B" and "C=D".

go1.7rc5

Aug 2, 2016 GO-2022-0220GO-2022-0289GO-2022-0493GO-2022-1095

GO-2022-0220: Go on Windows misused certain LoadLibrary functionality, leading to DLL injection.

GO-2022-0289: When a Go program running on a Unix system is out of file descriptors and calls syscall.ForkExec (including indirectly by using the os/exec package), syscall.ForkExec can close file descriptor 0 as it fails. If this happens (or can be provoked) repeatedly, it can result in misdirected I/O such as writing network traffic intended for one connection to a different connection, or content intended for one file to a different one. For users who cannot immediately update to the new release, the bug can be mitigated by raising the per-process file descriptor limit.

GO-2022-0493: When called with a non-zero flags parameter, the Faccessat function can incorrectly report that a file is accessible.

GO-2022-1095: Due to unsanitized NUL values, attackers may be able to maliciously set environment variables on Windows. In syscall.StartProcess and os/exec.Cmd, invalid environment variable values containing NUL values are not properly checked for. A malicious environment variable value can exploit this behavior to set a value for a different environment variable. For example, the environment variable string "A=B\x00C=D" sets the variables "A=B" and "C=D".

go1.7rc4

Aug 2, 2016 GO-2022-0220GO-2022-0289GO-2022-0493GO-2022-1095

GO-2022-0220: Go on Windows misused certain LoadLibrary functionality, leading to DLL injection.

GO-2022-0289: When a Go program running on a Unix system is out of file descriptors and calls syscall.ForkExec (including indirectly by using the os/exec package), syscall.ForkExec can close file descriptor 0 as it fails. If this happens (or can be provoked) repeatedly, it can result in misdirected I/O such as writing network traffic intended for one connection to a different connection, or content intended for one file to a different one. For users who cannot immediately update to the new release, the bug can be mitigated by raising the per-process file descriptor limit.

GO-2022-0493: When called with a non-zero flags parameter, the Faccessat function can incorrectly report that a file is accessible.

GO-2022-1095: Due to unsanitized NUL values, attackers may be able to maliciously set environment variables on Windows. In syscall.StartProcess and os/exec.Cmd, invalid environment variable values containing NUL values are not properly checked for. A malicious environment variable value can exploit this behavior to set a value for a different environment variable. For example, the environment variable string "A=B\x00C=D" sets the variables "A=B" and "C=D".

go1.7rc3

Jul 21, 2016 GO-2022-0220GO-2022-0289GO-2022-0493GO-2022-1095

GO-2022-0220: Go on Windows misused certain LoadLibrary functionality, leading to DLL injection.

GO-2022-0289: When a Go program running on a Unix system is out of file descriptors and calls syscall.ForkExec (including indirectly by using the os/exec package), syscall.ForkExec can close file descriptor 0 as it fails. If this happens (or can be provoked) repeatedly, it can result in misdirected I/O such as writing network traffic intended for one connection to a different connection, or content intended for one file to a different one. For users who cannot immediately update to the new release, the bug can be mitigated by raising the per-process file descriptor limit.

GO-2022-0493: When called with a non-zero flags parameter, the Faccessat function can incorrectly report that a file is accessible.

GO-2022-1095: Due to unsanitized NUL values, attackers may be able to maliciously set environment variables on Windows. In syscall.StartProcess and os/exec.Cmd, invalid environment variable values containing NUL values are not properly checked for. A malicious environment variable value can exploit this behavior to set a value for a different environment variable. For example, the environment variable string "A=B\x00C=D" sets the variables "A=B" and "C=D".

go1.7rc2

Jul 18, 2016 GO-2022-0220GO-2022-0289GO-2022-0493GO-2022-1095

GO-2022-0220: Go on Windows misused certain LoadLibrary functionality, leading to DLL injection.

GO-2022-0289: When a Go program running on a Unix system is out of file descriptors and calls syscall.ForkExec (including indirectly by using the os/exec package), syscall.ForkExec can close file descriptor 0 as it fails. If this happens (or can be provoked) repeatedly, it can result in misdirected I/O such as writing network traffic intended for one connection to a different connection, or content intended for one file to a different one. For users who cannot immediately update to the new release, the bug can be mitigated by raising the per-process file descriptor limit.

GO-2022-0493: When called with a non-zero flags parameter, the Faccessat function can incorrectly report that a file is accessible.

GO-2022-1095: Due to unsanitized NUL values, attackers may be able to maliciously set environment variables on Windows. In syscall.StartProcess and os/exec.Cmd, invalid environment variable values containing NUL values are not properly checked for. A malicious environment variable value can exploit this behavior to set a value for a different environment variable. For example, the environment variable string "A=B\x00C=D" sets the variables "A=B" and "C=D".

go1.7rc1

Jul 8, 2016 GO-2022-0220GO-2022-0289GO-2022-0493GO-2022-1095

GO-2022-0220: Go on Windows misused certain LoadLibrary functionality, leading to DLL injection.

GO-2022-0289: When a Go program running on a Unix system is out of file descriptors and calls syscall.ForkExec (including indirectly by using the os/exec package), syscall.ForkExec can close file descriptor 0 as it fails. If this happens (or can be provoked) repeatedly, it can result in misdirected I/O such as writing network traffic intended for one connection to a different connection, or content intended for one file to a different one. For users who cannot immediately update to the new release, the bug can be mitigated by raising the per-process file descriptor limit.

GO-2022-0493: When called with a non-zero flags parameter, the Faccessat function can incorrectly report that a file is accessible.

GO-2022-1095: Due to unsanitized NUL values, attackers may be able to maliciously set environment variables on Windows. In syscall.StartProcess and os/exec.Cmd, invalid environment variable values containing NUL values are not properly checked for. A malicious environment variable value can exploit this behavior to set a value for a different environment variable. For example, the environment variable string "A=B\x00C=D" sets the variables "A=B" and "C=D".

go1.7beta2

Jun 16, 2016 GO-2022-0220GO-2022-0289GO-2022-0493GO-2022-1095

GO-2022-0220: Go on Windows misused certain LoadLibrary functionality, leading to DLL injection.

GO-2022-0289: When a Go program running on a Unix system is out of file descriptors and calls syscall.ForkExec (including indirectly by using the os/exec package), syscall.ForkExec can close file descriptor 0 as it fails. If this happens (or can be provoked) repeatedly, it can result in misdirected I/O such as writing network traffic intended for one connection to a different connection, or content intended for one file to a different one. For users who cannot immediately update to the new release, the bug can be mitigated by raising the per-process file descriptor limit.

GO-2022-0493: When called with a non-zero flags parameter, the Faccessat function can incorrectly report that a file is accessible.

GO-2022-1095: Due to unsanitized NUL values, attackers may be able to maliciously set environment variables on Windows. In syscall.StartProcess and os/exec.Cmd, invalid environment variable values containing NUL values are not properly checked for. A malicious environment variable value can exploit this behavior to set a value for a different environment variable. For example, the environment variable string "A=B\x00C=D" sets the variables "A=B" and "C=D".

go1.7beta1

Jun 2, 2016 GO-2022-0220GO-2022-0289GO-2022-0493GO-2022-1095

GO-2022-0220: Go on Windows misused certain LoadLibrary functionality, leading to DLL injection.

GO-2022-0289: When a Go program running on a Unix system is out of file descriptors and calls syscall.ForkExec (including indirectly by using the os/exec package), syscall.ForkExec can close file descriptor 0 as it fails. If this happens (or can be provoked) repeatedly, it can result in misdirected I/O such as writing network traffic intended for one connection to a different connection, or content intended for one file to a different one. For users who cannot immediately update to the new release, the bug can be mitigated by raising the per-process file descriptor limit.

GO-2022-0493: When called with a non-zero flags parameter, the Faccessat function can incorrectly report that a file is accessible.

GO-2022-1095: Due to unsanitized NUL values, attackers may be able to maliciously set environment variables on Windows. In syscall.StartProcess and os/exec.Cmd, invalid environment variable values containing NUL values are not properly checked for. A malicious environment variable value can exploit this behavior to set a value for a different environment variable. For example, the environment variable string "A=B\x00C=D" sets the variables "A=B" and "C=D".

go1.6.4

Dec 1, 2016 GO-2022-0220GO-2022-0289GO-2022-0493GO-2022-1095

GO-2022-0220: Go on Windows misused certain LoadLibrary functionality, leading to DLL injection.

GO-2022-0289: When a Go program running on a Unix system is out of file descriptors and calls syscall.ForkExec (including indirectly by using the os/exec package), syscall.ForkExec can close file descriptor 0 as it fails. If this happens (or can be provoked) repeatedly, it can result in misdirected I/O such as writing network traffic intended for one connection to a different connection, or content intended for one file to a different one. For users who cannot immediately update to the new release, the bug can be mitigated by raising the per-process file descriptor limit.

GO-2022-0493: When called with a non-zero flags parameter, the Faccessat function can incorrectly report that a file is accessible.

GO-2022-1095: Due to unsanitized NUL values, attackers may be able to maliciously set environment variables on Windows. In syscall.StartProcess and os/exec.Cmd, invalid environment variable values containing NUL values are not properly checked for. A malicious environment variable value can exploit this behavior to set a value for a different environment variable. For example, the environment variable string "A=B\x00C=D" sets the variables "A=B" and "C=D".

go1.6.3

Jul 18, 2016 GO-2022-0220GO-2022-0289GO-2022-0493GO-2022-1095

GO-2022-0220: Go on Windows misused certain LoadLibrary functionality, leading to DLL injection.

GO-2022-0289: When a Go program running on a Unix system is out of file descriptors and calls syscall.ForkExec (including indirectly by using the os/exec package), syscall.ForkExec can close file descriptor 0 as it fails. If this happens (or can be provoked) repeatedly, it can result in misdirected I/O such as writing network traffic intended for one connection to a different connection, or content intended for one file to a different one. For users who cannot immediately update to the new release, the bug can be mitigated by raising the per-process file descriptor limit.

GO-2022-0493: When called with a non-zero flags parameter, the Faccessat function can incorrectly report that a file is accessible.

GO-2022-1095: Due to unsanitized NUL values, attackers may be able to maliciously set environment variables on Windows. In syscall.StartProcess and os/exec.Cmd, invalid environment variable values containing NUL values are not properly checked for. A malicious environment variable value can exploit this behavior to set a value for a different environment variable. For example, the environment variable string "A=B\x00C=D" sets the variables "A=B" and "C=D".

go1.6.2

Apr 19, 2016 GO-2022-0220GO-2022-0289GO-2022-0493GO-2022-1095

GO-2022-0220: Go on Windows misused certain LoadLibrary functionality, leading to DLL injection.

GO-2022-0289: When a Go program running on a Unix system is out of file descriptors and calls syscall.ForkExec (including indirectly by using the os/exec package), syscall.ForkExec can close file descriptor 0 as it fails. If this happens (or can be provoked) repeatedly, it can result in misdirected I/O such as writing network traffic intended for one connection to a different connection, or content intended for one file to a different one. For users who cannot immediately update to the new release, the bug can be mitigated by raising the per-process file descriptor limit.

GO-2022-0493: When called with a non-zero flags parameter, the Faccessat function can incorrectly report that a file is accessible.

GO-2022-1095: Due to unsanitized NUL values, attackers may be able to maliciously set environment variables on Windows. In syscall.StartProcess and os/exec.Cmd, invalid environment variable values containing NUL values are not properly checked for. A malicious environment variable value can exploit this behavior to set a value for a different environment variable. For example, the environment variable string "A=B\x00C=D" sets the variables "A=B" and "C=D".

go1.6.1

Apr 11, 2016 GO-2022-0220GO-2022-0289GO-2022-0493GO-2022-1095

GO-2022-0220: Go on Windows misused certain LoadLibrary functionality, leading to DLL injection.

GO-2022-0289: When a Go program running on a Unix system is out of file descriptors and calls syscall.ForkExec (including indirectly by using the os/exec package), syscall.ForkExec can close file descriptor 0 as it fails. If this happens (or can be provoked) repeatedly, it can result in misdirected I/O such as writing network traffic intended for one connection to a different connection, or content intended for one file to a different one. For users who cannot immediately update to the new release, the bug can be mitigated by raising the per-process file descriptor limit.

GO-2022-0493: When called with a non-zero flags parameter, the Faccessat function can incorrectly report that a file is accessible.

GO-2022-1095: Due to unsanitized NUL values, attackers may be able to maliciously set environment variables on Windows. In syscall.StartProcess and os/exec.Cmd, invalid environment variable values containing NUL values are not properly checked for. A malicious environment variable value can exploit this behavior to set a value for a different environment variable. For example, the environment variable string "A=B\x00C=D" sets the variables "A=B" and "C=D".

go1.6

Feb 17, 2016 GO-2021-0163GO-2022-0220GO-2022-0289GO-2022-0493GO-2022-1095

GO-2021-0163: Untrusted search path vulnerability on Windows related to LoadLibrary allows local users to gain privileges via a malicious DLL in the current working directory.

GO-2022-0220: Go on Windows misused certain LoadLibrary functionality, leading to DLL injection.

GO-2022-0289: When a Go program running on a Unix system is out of file descriptors and calls syscall.ForkExec (including indirectly by using the os/exec package), syscall.ForkExec can close file descriptor 0 as it fails. If this happens (or can be provoked) repeatedly, it can result in misdirected I/O such as writing network traffic intended for one connection to a different connection, or content intended for one file to a different one. For users who cannot immediately update to the new release, the bug can be mitigated by raising the per-process file descriptor limit.

GO-2022-0493: When called with a non-zero flags parameter, the Faccessat function can incorrectly report that a file is accessible.

GO-2022-1095: Due to unsanitized NUL values, attackers may be able to maliciously set environment variables on Windows. In syscall.StartProcess and os/exec.Cmd, invalid environment variable values containing NUL values are not properly checked for. A malicious environment variable value can exploit this behavior to set a value for a different environment variable. For example, the environment variable string "A=B\x00C=D" sets the variables "A=B" and "C=D".

go1.6rc2

Feb 3, 2016 GO-2022-0220GO-2022-0289GO-2022-0493GO-2022-1095

GO-2022-0220: Go on Windows misused certain LoadLibrary functionality, leading to DLL injection.

GO-2022-0289: When a Go program running on a Unix system is out of file descriptors and calls syscall.ForkExec (including indirectly by using the os/exec package), syscall.ForkExec can close file descriptor 0 as it fails. If this happens (or can be provoked) repeatedly, it can result in misdirected I/O such as writing network traffic intended for one connection to a different connection, or content intended for one file to a different one. For users who cannot immediately update to the new release, the bug can be mitigated by raising the per-process file descriptor limit.

GO-2022-0493: When called with a non-zero flags parameter, the Faccessat function can incorrectly report that a file is accessible.

GO-2022-1095: Due to unsanitized NUL values, attackers may be able to maliciously set environment variables on Windows. In syscall.StartProcess and os/exec.Cmd, invalid environment variable values containing NUL values are not properly checked for. A malicious environment variable value can exploit this behavior to set a value for a different environment variable. For example, the environment variable string "A=B\x00C=D" sets the variables "A=B" and "C=D".

go1.6rc1

Jan 28, 2016 GO-2022-0220GO-2022-0289GO-2022-0493GO-2022-1095

GO-2022-0220: Go on Windows misused certain LoadLibrary functionality, leading to DLL injection.

GO-2022-0289: When a Go program running on a Unix system is out of file descriptors and calls syscall.ForkExec (including indirectly by using the os/exec package), syscall.ForkExec can close file descriptor 0 as it fails. If this happens (or can be provoked) repeatedly, it can result in misdirected I/O such as writing network traffic intended for one connection to a different connection, or content intended for one file to a different one. For users who cannot immediately update to the new release, the bug can be mitigated by raising the per-process file descriptor limit.

GO-2022-0493: When called with a non-zero flags parameter, the Faccessat function can incorrectly report that a file is accessible.

GO-2022-1095: Due to unsanitized NUL values, attackers may be able to maliciously set environment variables on Windows. In syscall.StartProcess and os/exec.Cmd, invalid environment variable values containing NUL values are not properly checked for. A malicious environment variable value can exploit this behavior to set a value for a different environment variable. For example, the environment variable string "A=B\x00C=D" sets the variables "A=B" and "C=D".

go1.6beta2

Jan 13, 2016 GO-2022-0220GO-2022-0289GO-2022-0493GO-2022-1095

GO-2022-0220: Go on Windows misused certain LoadLibrary functionality, leading to DLL injection.

GO-2022-0289: When a Go program running on a Unix system is out of file descriptors and calls syscall.ForkExec (including indirectly by using the os/exec package), syscall.ForkExec can close file descriptor 0 as it fails. If this happens (or can be provoked) repeatedly, it can result in misdirected I/O such as writing network traffic intended for one connection to a different connection, or content intended for one file to a different one. For users who cannot immediately update to the new release, the bug can be mitigated by raising the per-process file descriptor limit.

GO-2022-0493: When called with a non-zero flags parameter, the Faccessat function can incorrectly report that a file is accessible.

GO-2022-1095: Due to unsanitized NUL values, attackers may be able to maliciously set environment variables on Windows. In syscall.StartProcess and os/exec.Cmd, invalid environment variable values containing NUL values are not properly checked for. A malicious environment variable value can exploit this behavior to set a value for a different environment variable. For example, the environment variable string "A=B\x00C=D" sets the variables "A=B" and "C=D".

go1.6beta1

Dec 17, 2015 GO-2022-0220GO-2022-0289GO-2022-0493GO-2022-1095

GO-2022-0220: Go on Windows misused certain LoadLibrary functionality, leading to DLL injection.

GO-2022-0289: When a Go program running on a Unix system is out of file descriptors and calls syscall.ForkExec (including indirectly by using the os/exec package), syscall.ForkExec can close file descriptor 0 as it fails. If this happens (or can be provoked) repeatedly, it can result in misdirected I/O such as writing network traffic intended for one connection to a different connection, or content intended for one file to a different one. For users who cannot immediately update to the new release, the bug can be mitigated by raising the per-process file descriptor limit.

GO-2022-0493: When called with a non-zero flags parameter, the Faccessat function can incorrectly report that a file is accessible.

GO-2022-1095: Due to unsanitized NUL values, attackers may be able to maliciously set environment variables on Windows. In syscall.StartProcess and os/exec.Cmd, invalid environment variable values containing NUL values are not properly checked for. A malicious environment variable value can exploit this behavior to set a value for a different environment variable. For example, the environment variable string "A=B\x00C=D" sets the variables "A=B" and "C=D".

go1.5.4

Apr 11, 2016 GO-2022-0220GO-2022-0289GO-2022-0493GO-2022-1095

GO-2022-0220: Go on Windows misused certain LoadLibrary functionality, leading to DLL injection.

GO-2022-0289: When a Go program running on a Unix system is out of file descriptors and calls syscall.ForkExec (including indirectly by using the os/exec package), syscall.ForkExec can close file descriptor 0 as it fails. If this happens (or can be provoked) repeatedly, it can result in misdirected I/O such as writing network traffic intended for one connection to a different connection, or content intended for one file to a different one. For users who cannot immediately update to the new release, the bug can be mitigated by raising the per-process file descriptor limit.

GO-2022-0493: When called with a non-zero flags parameter, the Faccessat function can incorrectly report that a file is accessible.

GO-2022-1095: Due to unsanitized NUL values, attackers may be able to maliciously set environment variables on Windows. In syscall.StartProcess and os/exec.Cmd, invalid environment variable values containing NUL values are not properly checked for. A malicious environment variable value can exploit this behavior to set a value for a different environment variable. For example, the environment variable string "A=B\x00C=D" sets the variables "A=B" and "C=D".

go1.5.3

Jan 13, 2016 GO-2021-0163GO-2022-0220GO-2022-0289GO-2022-0493GO-2022-1095

GO-2021-0163: Untrusted search path vulnerability on Windows related to LoadLibrary allows local users to gain privileges via a malicious DLL in the current working directory.

GO-2022-0220: Go on Windows misused certain LoadLibrary functionality, leading to DLL injection.

GO-2022-0289: When a Go program running on a Unix system is out of file descriptors and calls syscall.ForkExec (including indirectly by using the os/exec package), syscall.ForkExec can close file descriptor 0 as it fails. If this happens (or can be provoked) repeatedly, it can result in misdirected I/O such as writing network traffic intended for one connection to a different connection, or content intended for one file to a different one. For users who cannot immediately update to the new release, the bug can be mitigated by raising the per-process file descriptor limit.

GO-2022-0493: When called with a non-zero flags parameter, the Faccessat function can incorrectly report that a file is accessible.

GO-2022-1095: Due to unsanitized NUL values, attackers may be able to maliciously set environment variables on Windows. In syscall.StartProcess and os/exec.Cmd, invalid environment variable values containing NUL values are not properly checked for. A malicious environment variable value can exploit this behavior to set a value for a different environment variable. For example, the environment variable string "A=B\x00C=D" sets the variables "A=B" and "C=D".

go1.5.2

Dec 3, 2015 GO-2021-0163GO-2022-0220GO-2022-0289GO-2022-0493GO-2022-1095

GO-2021-0163: Untrusted search path vulnerability on Windows related to LoadLibrary allows local users to gain privileges via a malicious DLL in the current working directory.

GO-2022-0220: Go on Windows misused certain LoadLibrary functionality, leading to DLL injection.

GO-2022-0289: When a Go program running on a Unix system is out of file descriptors and calls syscall.ForkExec (including indirectly by using the os/exec package), syscall.ForkExec can close file descriptor 0 as it fails. If this happens (or can be provoked) repeatedly, it can result in misdirected I/O such as writing network traffic intended for one connection to a different connection, or content intended for one file to a different one. For users who cannot immediately update to the new release, the bug can be mitigated by raising the per-process file descriptor limit.

GO-2022-0493: When called with a non-zero flags parameter, the Faccessat function can incorrectly report that a file is accessible.

GO-2022-1095: Due to unsanitized NUL values, attackers may be able to maliciously set environment variables on Windows. In syscall.StartProcess and os/exec.Cmd, invalid environment variable values containing NUL values are not properly checked for. A malicious environment variable value can exploit this behavior to set a value for a different environment variable. For example, the environment variable string "A=B\x00C=D" sets the variables "A=B" and "C=D".

go1.5.1

Sep 9, 2015 GO-2021-0163GO-2022-0220GO-2022-0289GO-2022-0493GO-2022-1095

GO-2021-0163: Untrusted search path vulnerability on Windows related to LoadLibrary allows local users to gain privileges via a malicious DLL in the current working directory.

GO-2022-0220: Go on Windows misused certain LoadLibrary functionality, leading to DLL injection.

GO-2022-0289: When a Go program running on a Unix system is out of file descriptors and calls syscall.ForkExec (including indirectly by using the os/exec package), syscall.ForkExec can close file descriptor 0 as it fails. If this happens (or can be provoked) repeatedly, it can result in misdirected I/O such as writing network traffic intended for one connection to a different connection, or content intended for one file to a different one. For users who cannot immediately update to the new release, the bug can be mitigated by raising the per-process file descriptor limit.

GO-2022-0493: When called with a non-zero flags parameter, the Faccessat function can incorrectly report that a file is accessible.

GO-2022-1095: Due to unsanitized NUL values, attackers may be able to maliciously set environment variables on Windows. In syscall.StartProcess and os/exec.Cmd, invalid environment variable values containing NUL values are not properly checked for. A malicious environment variable value can exploit this behavior to set a value for a different environment variable. For example, the environment variable string "A=B\x00C=D" sets the variables "A=B" and "C=D".

go1.5

Aug 19, 2015 GO-2021-0163GO-2022-0220GO-2022-0289GO-2022-0493GO-2022-1095

GO-2021-0163: Untrusted search path vulnerability on Windows related to LoadLibrary allows local users to gain privileges via a malicious DLL in the current working directory.

GO-2022-0220: Go on Windows misused certain LoadLibrary functionality, leading to DLL injection.

GO-2022-0289: When a Go program running on a Unix system is out of file descriptors and calls syscall.ForkExec (including indirectly by using the os/exec package), syscall.ForkExec can close file descriptor 0 as it fails. If this happens (or can be provoked) repeatedly, it can result in misdirected I/O such as writing network traffic intended for one connection to a different connection, or content intended for one file to a different one. For users who cannot immediately update to the new release, the bug can be mitigated by raising the per-process file descriptor limit.

GO-2022-0493: When called with a non-zero flags parameter, the Faccessat function can incorrectly report that a file is accessible.

GO-2022-1095: Due to unsanitized NUL values, attackers may be able to maliciously set environment variables on Windows. In syscall.StartProcess and os/exec.Cmd, invalid environment variable values containing NUL values are not properly checked for. A malicious environment variable value can exploit this behavior to set a value for a different environment variable. For example, the environment variable string "A=B\x00C=D" sets the variables "A=B" and "C=D".

Changes in this version

type SysProcAttr — darwin/amd64

+ Ctty int

+ Foreground bool

+ Pgid int

type SysProcAttr — linux/amd64

+ GidMappingsEnableSetgroups bool

go1.5rc1

Aug 6, 2015 GO-2021-0163GO-2022-0220GO-2022-0289GO-2022-0493GO-2022-1095

GO-2021-0163: Untrusted search path vulnerability on Windows related to LoadLibrary allows local users to gain privileges via a malicious DLL in the current working directory.

GO-2022-0220: Go on Windows misused certain LoadLibrary functionality, leading to DLL injection.

GO-2022-0289: When a Go program running on a Unix system is out of file descriptors and calls syscall.ForkExec (including indirectly by using the os/exec package), syscall.ForkExec can close file descriptor 0 as it fails. If this happens (or can be provoked) repeatedly, it can result in misdirected I/O such as writing network traffic intended for one connection to a different connection, or content intended for one file to a different one. For users who cannot immediately update to the new release, the bug can be mitigated by raising the per-process file descriptor limit.

GO-2022-0493: When called with a non-zero flags parameter, the Faccessat function can incorrectly report that a file is accessible.

GO-2022-1095: Due to unsanitized NUL values, attackers may be able to maliciously set environment variables on Windows. In syscall.StartProcess and os/exec.Cmd, invalid environment variable values containing NUL values are not properly checked for. A malicious environment variable value can exploit this behavior to set a value for a different environment variable. For example, the environment variable string "A=B\x00C=D" sets the variables "A=B" and "C=D".

go1.5beta3

Jul 29, 2015 GO-2021-0163GO-2022-0220GO-2022-0289GO-2022-0493GO-2022-1095

GO-2021-0163: Untrusted search path vulnerability on Windows related to LoadLibrary allows local users to gain privileges via a malicious DLL in the current working directory.

GO-2022-0220: Go on Windows misused certain LoadLibrary functionality, leading to DLL injection.

GO-2022-0289: When a Go program running on a Unix system is out of file descriptors and calls syscall.ForkExec (including indirectly by using the os/exec package), syscall.ForkExec can close file descriptor 0 as it fails. If this happens (or can be provoked) repeatedly, it can result in misdirected I/O such as writing network traffic intended for one connection to a different connection, or content intended for one file to a different one. For users who cannot immediately update to the new release, the bug can be mitigated by raising the per-process file descriptor limit.

GO-2022-0493: When called with a non-zero flags parameter, the Faccessat function can incorrectly report that a file is accessible.

GO-2022-1095: Due to unsanitized NUL values, attackers may be able to maliciously set environment variables on Windows. In syscall.StartProcess and os/exec.Cmd, invalid environment variable values containing NUL values are not properly checked for. A malicious environment variable value can exploit this behavior to set a value for a different environment variable. For example, the environment variable string "A=B\x00C=D" sets the variables "A=B" and "C=D".

go1.5beta2

Jul 17, 2015 GO-2021-0163GO-2022-0220GO-2022-0289GO-2022-0493GO-2022-1095

GO-2021-0163: Untrusted search path vulnerability on Windows related to LoadLibrary allows local users to gain privileges via a malicious DLL in the current working directory.

GO-2022-0220: Go on Windows misused certain LoadLibrary functionality, leading to DLL injection.

GO-2022-0289: When a Go program running on a Unix system is out of file descriptors and calls syscall.ForkExec (including indirectly by using the os/exec package), syscall.ForkExec can close file descriptor 0 as it fails. If this happens (or can be provoked) repeatedly, it can result in misdirected I/O such as writing network traffic intended for one connection to a different connection, or content intended for one file to a different one. For users who cannot immediately update to the new release, the bug can be mitigated by raising the per-process file descriptor limit.

GO-2022-0493: When called with a non-zero flags parameter, the Faccessat function can incorrectly report that a file is accessible.

GO-2022-1095: Due to unsanitized NUL values, attackers may be able to maliciously set environment variables on Windows. In syscall.StartProcess and os/exec.Cmd, invalid environment variable values containing NUL values are not properly checked for. A malicious environment variable value can exploit this behavior to set a value for a different environment variable. For example, the environment variable string "A=B\x00C=D" sets the variables "A=B" and "C=D".

go1.5beta1

Jul 7, 2015 GO-2021-0163GO-2022-0220GO-2022-0289GO-2022-0493GO-2022-1095

GO-2021-0163: Untrusted search path vulnerability on Windows related to LoadLibrary allows local users to gain privileges via a malicious DLL in the current working directory.

GO-2022-0220: Go on Windows misused certain LoadLibrary functionality, leading to DLL injection.

GO-2022-0289: When a Go program running on a Unix system is out of file descriptors and calls syscall.ForkExec (including indirectly by using the os/exec package), syscall.ForkExec can close file descriptor 0 as it fails. If this happens (or can be provoked) repeatedly, it can result in misdirected I/O such as writing network traffic intended for one connection to a different connection, or content intended for one file to a different one. For users who cannot immediately update to the new release, the bug can be mitigated by raising the per-process file descriptor limit.

GO-2022-0493: When called with a non-zero flags parameter, the Faccessat function can incorrectly report that a file is accessible.

GO-2022-1095: Due to unsanitized NUL values, attackers may be able to maliciously set environment variables on Windows. In syscall.StartProcess and os/exec.Cmd, invalid environment variable values containing NUL values are not properly checked for. A malicious environment variable value can exploit this behavior to set a value for a different environment variable. For example, the environment variable string "A=B\x00C=D" sets the variables "A=B" and "C=D".

go1.4.3

Sep 23, 2015 GO-2021-0163GO-2022-0220GO-2022-0289GO-2022-0493GO-2022-1095

GO-2021-0163: Untrusted search path vulnerability on Windows related to LoadLibrary allows local users to gain privileges via a malicious DLL in the current working directory.

GO-2022-0220: Go on Windows misused certain LoadLibrary functionality, leading to DLL injection.

GO-2022-0289: When a Go program running on a Unix system is out of file descriptors and calls syscall.ForkExec (including indirectly by using the os/exec package), syscall.ForkExec can close file descriptor 0 as it fails. If this happens (or can be provoked) repeatedly, it can result in misdirected I/O such as writing network traffic intended for one connection to a different connection, or content intended for one file to a different one. For users who cannot immediately update to the new release, the bug can be mitigated by raising the per-process file descriptor limit.

GO-2022-0493: When called with a non-zero flags parameter, the Faccessat function can incorrectly report that a file is accessible.

GO-2022-1095: Due to unsanitized NUL values, attackers may be able to maliciously set environment variables on Windows. In syscall.StartProcess and os/exec.Cmd, invalid environment variable values containing NUL values are not properly checked for. A malicious environment variable value can exploit this behavior to set a value for a different environment variable. For example, the environment variable string "A=B\x00C=D" sets the variables "A=B" and "C=D".

go1.4.2

Feb 18, 2015 GO-2021-0163GO-2022-0220GO-2022-0289GO-2022-0493GO-2022-1095

GO-2021-0163: Untrusted search path vulnerability on Windows related to LoadLibrary allows local users to gain privileges via a malicious DLL in the current working directory.

GO-2022-0220: Go on Windows misused certain LoadLibrary functionality, leading to DLL injection.

GO-2022-0289: When a Go program running on a Unix system is out of file descriptors and calls syscall.ForkExec (including indirectly by using the os/exec package), syscall.ForkExec can close file descriptor 0 as it fails. If this happens (or can be provoked) repeatedly, it can result in misdirected I/O such as writing network traffic intended for one connection to a different connection, or content intended for one file to a different one. For users who cannot immediately update to the new release, the bug can be mitigated by raising the per-process file descriptor limit.

GO-2022-0493: When called with a non-zero flags parameter, the Faccessat function can incorrectly report that a file is accessible.

GO-2022-1095: Due to unsanitized NUL values, attackers may be able to maliciously set environment variables on Windows. In syscall.StartProcess and os/exec.Cmd, invalid environment variable values containing NUL values are not properly checked for. A malicious environment variable value can exploit this behavior to set a value for a different environment variable. For example, the environment variable string "A=B\x00C=D" sets the variables "A=B" and "C=D".

go1.4.1

Jan 15, 2015 GO-2021-0163GO-2022-0220GO-2022-0289GO-2022-0493GO-2022-1095

GO-2021-0163: Untrusted search path vulnerability on Windows related to LoadLibrary allows local users to gain privileges via a malicious DLL in the current working directory.

GO-2022-0220: Go on Windows misused certain LoadLibrary functionality, leading to DLL injection.

GO-2022-0289: When a Go program running on a Unix system is out of file descriptors and calls syscall.ForkExec (including indirectly by using the os/exec package), syscall.ForkExec can close file descriptor 0 as it fails. If this happens (or can be provoked) repeatedly, it can result in misdirected I/O such as writing network traffic intended for one connection to a different connection, or content intended for one file to a different one. For users who cannot immediately update to the new release, the bug can be mitigated by raising the per-process file descriptor limit.

GO-2022-0493: When called with a non-zero flags parameter, the Faccessat function can incorrectly report that a file is accessible.

GO-2022-1095: Due to unsanitized NUL values, attackers may be able to maliciously set environment variables on Windows. In syscall.StartProcess and os/exec.Cmd, invalid environment variable values containing NUL values are not properly checked for. A malicious environment variable value can exploit this behavior to set a value for a different environment variable. For example, the environment variable string "A=B\x00C=D" sets the variables "A=B" and "C=D".

go1.4

Dec 11, 2014 GO-2021-0163GO-2022-0220GO-2022-0289GO-2022-0493GO-2022-1095

GO-2021-0163: Untrusted search path vulnerability on Windows related to LoadLibrary allows local users to gain privileges via a malicious DLL in the current working directory.

GO-2022-0220: Go on Windows misused certain LoadLibrary functionality, leading to DLL injection.

GO-2022-0289: When a Go program running on a Unix system is out of file descriptors and calls syscall.ForkExec (including indirectly by using the os/exec package), syscall.ForkExec can close file descriptor 0 as it fails. If this happens (or can be provoked) repeatedly, it can result in misdirected I/O such as writing network traffic intended for one connection to a different connection, or content intended for one file to a different one. For users who cannot immediately update to the new release, the bug can be mitigated by raising the per-process file descriptor limit.

GO-2022-0493: When called with a non-zero flags parameter, the Faccessat function can incorrectly report that a file is accessible.

GO-2022-1095: Due to unsanitized NUL values, attackers may be able to maliciously set environment variables on Windows. In syscall.StartProcess and os/exec.Cmd, invalid environment variable values containing NUL values are not properly checked for. A malicious environment variable value can exploit this behavior to set a value for a different environment variable. For example, the environment variable string "A=B\x00C=D" sets the variables "A=B" and "C=D".

Changes in this version

+ const DNS_INFO_NO_RECORDS — windows/amd64

+ const DnsSectionAdditional — windows/amd64

+ const DnsSectionAnswer — windows/amd64

+ const DnsSectionAuthority — windows/amd64

+ const DnsSectionQuestion — windows/amd64

+ const FILE_ATTRIBUTE_REPARSE_POINT — windows/amd64

+ const FILE_FLAG_OPEN_REPARSE_POINT — windows/amd64

+ const FSCTL_GET_REPARSE_POINT — windows/amd64

+ const IO_REPARSE_TAG_SYMLINK — windows/amd64

+ const MAXIMUM_REPARSE_DATA_BUFFER_SIZE — windows/amd64

+ const SIO_UDP_CONNRESET — windows/amd64

+ const SYMBOLIC_LINK_FLAG_DIRECTORY — windows/amd64

+ const TH32CS_INHERIT — windows/amd64

+ const TH32CS_SNAPALL — windows/amd64

+ const TH32CS_SNAPHEAPLIST — windows/amd64

+ const TH32CS_SNAPMODULE — windows/amd64

+ const TH32CS_SNAPMODULE32 — windows/amd64

+ const TH32CS_SNAPPROCESS — windows/amd64

+ const TH32CS_SNAPTHREAD — windows/amd64

+ func CreateHardLink(filename *uint16, existingfilename *uint16, reserved uintptr) (err error) — windows/amd64

+ func CreateSymbolicLink(symlinkfilename *uint16, targetfilename *uint16, flags uint32) (err error) — windows/amd64

+ func DeviceIoControl(handle Handle, ioControlCode uint32, inBuffer *byte, inBufferSize uint32, ...) (err error) — windows/amd64

+ func DnsNameCompare(name1 *uint16, name2 *uint16) (same bool) — windows/amd64

+ func FullPath(name string) (path string, err error) — windows/amd64

+ func LoadCreateSymbolicLink() error — windows/amd64

+ func Process32First(snapshot Handle, procEntry *ProcessEntry32) (err error) — windows/amd64

+ func Process32Next(snapshot Handle, procEntry *ProcessEntry32) (err error) — windows/amd64

+ func Unsetenv(key string) error — darwin/amd64, linux/amd64, windows/amd64

type Errno — windows/amd64

+ const ERROR_PRIVILEGE_NOT_HELD

type Handle — windows/amd64

+ func CreateToolhelp32Snapshot(flags uint32, processId uint32) (handle Handle, err error)

+ type ProcessEntry32 struct — windows/amd64

+ DefaultHeapID uintptr

+ ExeFile [MAX_PATH]uint16

+ Flags uint32

+ ModuleID uint32

+ ParentProcessID uint32

+ PriClassBase int32

+ ProcessID uint32

+ Size uint32

+ Threads uint32

+ Usage uint32

type SysProcAttr — linux/amd64

+ GidMappings []SysProcIDMap

+ UidMappings []SysProcIDMap

+ type SysProcIDMap struct — linux/amd64

+ ContainerID int

+ HostID int

+ Size int

go1.4rc2

Dec 2, 2014 GO-2021-0163GO-2022-0220GO-2022-0289GO-2022-0493GO-2022-1095

GO-2021-0163: Untrusted search path vulnerability on Windows related to LoadLibrary allows local users to gain privileges via a malicious DLL in the current working directory.

GO-2022-0220: Go on Windows misused certain LoadLibrary functionality, leading to DLL injection.

GO-2022-0289: When a Go program running on a Unix system is out of file descriptors and calls syscall.ForkExec (including indirectly by using the os/exec package), syscall.ForkExec can close file descriptor 0 as it fails. If this happens (or can be provoked) repeatedly, it can result in misdirected I/O such as writing network traffic intended for one connection to a different connection, or content intended for one file to a different one. For users who cannot immediately update to the new release, the bug can be mitigated by raising the per-process file descriptor limit.

GO-2022-0493: When called with a non-zero flags parameter, the Faccessat function can incorrectly report that a file is accessible.

GO-2022-1095: Due to unsanitized NUL values, attackers may be able to maliciously set environment variables on Windows. In syscall.StartProcess and os/exec.Cmd, invalid environment variable values containing NUL values are not properly checked for. A malicious environment variable value can exploit this behavior to set a value for a different environment variable. For example, the environment variable string "A=B\x00C=D" sets the variables "A=B" and "C=D".

go1.4rc1

Nov 17, 2014 GO-2021-0163GO-2022-0220GO-2022-0289GO-2022-0493GO-2022-1095

GO-2021-0163: Untrusted search path vulnerability on Windows related to LoadLibrary allows local users to gain privileges via a malicious DLL in the current working directory.

GO-2022-0220: Go on Windows misused certain LoadLibrary functionality, leading to DLL injection.

GO-2022-0289: When a Go program running on a Unix system is out of file descriptors and calls syscall.ForkExec (including indirectly by using the os/exec package), syscall.ForkExec can close file descriptor 0 as it fails. If this happens (or can be provoked) repeatedly, it can result in misdirected I/O such as writing network traffic intended for one connection to a different connection, or content intended for one file to a different one. For users who cannot immediately update to the new release, the bug can be mitigated by raising the per-process file descriptor limit.

GO-2022-0493: When called with a non-zero flags parameter, the Faccessat function can incorrectly report that a file is accessible.

GO-2022-1095: Due to unsanitized NUL values, attackers may be able to maliciously set environment variables on Windows. In syscall.StartProcess and os/exec.Cmd, invalid environment variable values containing NUL values are not properly checked for. A malicious environment variable value can exploit this behavior to set a value for a different environment variable. For example, the environment variable string "A=B\x00C=D" sets the variables "A=B" and "C=D".

go1.4beta1

Oct 30, 2014 GO-2021-0163GO-2022-0220GO-2022-0289GO-2022-0493GO-2022-1095

GO-2021-0163: Untrusted search path vulnerability on Windows related to LoadLibrary allows local users to gain privileges via a malicious DLL in the current working directory.

GO-2022-0220: Go on Windows misused certain LoadLibrary functionality, leading to DLL injection.

GO-2022-0289: When a Go program running on a Unix system is out of file descriptors and calls syscall.ForkExec (including indirectly by using the os/exec package), syscall.ForkExec can close file descriptor 0 as it fails. If this happens (or can be provoked) repeatedly, it can result in misdirected I/O such as writing network traffic intended for one connection to a different connection, or content intended for one file to a different one. For users who cannot immediately update to the new release, the bug can be mitigated by raising the per-process file descriptor limit.

GO-2022-0493: When called with a non-zero flags parameter, the Faccessat function can incorrectly report that a file is accessible.

GO-2022-1095: Due to unsanitized NUL values, attackers may be able to maliciously set environment variables on Windows. In syscall.StartProcess and os/exec.Cmd, invalid environment variable values containing NUL values are not properly checked for. A malicious environment variable value can exploit this behavior to set a value for a different environment variable. For example, the environment variable string "A=B\x00C=D" sets the variables "A=B" and "C=D".

go1.3.3

Oct 1, 2014 GO-2021-0163GO-2022-0220GO-2022-0289GO-2022-0493GO-2022-1095

GO-2021-0163: Untrusted search path vulnerability on Windows related to LoadLibrary allows local users to gain privileges via a malicious DLL in the current working directory.

GO-2022-0220: Go on Windows misused certain LoadLibrary functionality, leading to DLL injection.

GO-2022-0289: When a Go program running on a Unix system is out of file descriptors and calls syscall.ForkExec (including indirectly by using the os/exec package), syscall.ForkExec can close file descriptor 0 as it fails. If this happens (or can be provoked) repeatedly, it can result in misdirected I/O such as writing network traffic intended for one connection to a different connection, or content intended for one file to a different one. For users who cannot immediately update to the new release, the bug can be mitigated by raising the per-process file descriptor limit.

GO-2022-0493: When called with a non-zero flags parameter, the Faccessat function can incorrectly report that a file is accessible.

GO-2022-1095: Due to unsanitized NUL values, attackers may be able to maliciously set environment variables on Windows. In syscall.StartProcess and os/exec.Cmd, invalid environment variable values containing NUL values are not properly checked for. A malicious environment variable value can exploit this behavior to set a value for a different environment variable. For example, the environment variable string "A=B\x00C=D" sets the variables "A=B" and "C=D".

go1.3.2

Sep 25, 2014 GO-2021-0163GO-2022-0220GO-2022-0289GO-2022-0493GO-2022-1095

GO-2021-0163: Untrusted search path vulnerability on Windows related to LoadLibrary allows local users to gain privileges via a malicious DLL in the current working directory.

GO-2022-0220: Go on Windows misused certain LoadLibrary functionality, leading to DLL injection.

GO-2022-0289: When a Go program running on a Unix system is out of file descriptors and calls syscall.ForkExec (including indirectly by using the os/exec package), syscall.ForkExec can close file descriptor 0 as it fails. If this happens (or can be provoked) repeatedly, it can result in misdirected I/O such as writing network traffic intended for one connection to a different connection, or content intended for one file to a different one. For users who cannot immediately update to the new release, the bug can be mitigated by raising the per-process file descriptor limit.

GO-2022-0493: When called with a non-zero flags parameter, the Faccessat function can incorrectly report that a file is accessible.

GO-2022-1095: Due to unsanitized NUL values, attackers may be able to maliciously set environment variables on Windows. In syscall.StartProcess and os/exec.Cmd, invalid environment variable values containing NUL values are not properly checked for. A malicious environment variable value can exploit this behavior to set a value for a different environment variable. For example, the environment variable string "A=B\x00C=D" sets the variables "A=B" and "C=D".

go1.3.1

Aug 13, 2014 GO-2021-0163GO-2022-0220GO-2022-0289GO-2022-0493GO-2022-1095

GO-2021-0163: Untrusted search path vulnerability on Windows related to LoadLibrary allows local users to gain privileges via a malicious DLL in the current working directory.

GO-2022-0220: Go on Windows misused certain LoadLibrary functionality, leading to DLL injection.

GO-2022-0289: When a Go program running on a Unix system is out of file descriptors and calls syscall.ForkExec (including indirectly by using the os/exec package), syscall.ForkExec can close file descriptor 0 as it fails. If this happens (or can be provoked) repeatedly, it can result in misdirected I/O such as writing network traffic intended for one connection to a different connection, or content intended for one file to a different one. For users who cannot immediately update to the new release, the bug can be mitigated by raising the per-process file descriptor limit.

GO-2022-0493: When called with a non-zero flags parameter, the Faccessat function can incorrectly report that a file is accessible.

GO-2022-1095: Due to unsanitized NUL values, attackers may be able to maliciously set environment variables on Windows. In syscall.StartProcess and os/exec.Cmd, invalid environment variable values containing NUL values are not properly checked for. A malicious environment variable value can exploit this behavior to set a value for a different environment variable. For example, the environment variable string "A=B\x00C=D" sets the variables "A=B" and "C=D".

go1.3

Jun 19, 2014 GO-2021-0163GO-2022-0220GO-2022-0289GO-2022-0493GO-2022-1095

GO-2021-0163: Untrusted search path vulnerability on Windows related to LoadLibrary allows local users to gain privileges via a malicious DLL in the current working directory.

GO-2022-0220: Go on Windows misused certain LoadLibrary functionality, leading to DLL injection.

GO-2022-0289: When a Go program running on a Unix system is out of file descriptors and calls syscall.ForkExec (including indirectly by using the os/exec package), syscall.ForkExec can close file descriptor 0 as it fails. If this happens (or can be provoked) repeatedly, it can result in misdirected I/O such as writing network traffic intended for one connection to a different connection, or content intended for one file to a different one. For users who cannot immediately update to the new release, the bug can be mitigated by raising the per-process file descriptor limit.

GO-2022-0493: When called with a non-zero flags parameter, the Faccessat function can incorrectly report that a file is accessible.

GO-2022-1095: Due to unsanitized NUL values, attackers may be able to maliciously set environment variables on Windows. In syscall.StartProcess and os/exec.Cmd, invalid environment variable values containing NUL values are not properly checked for. A malicious environment variable value can exploit this behavior to set a value for a different environment variable. For example, the environment variable string "A=B\x00C=D" sets the variables "A=B" and "C=D".

Changes in this version

+ const IOC_VENDOR — windows/amd64

+ const SIO_KEEPALIVE_VALS — windows/amd64

+ func FcntlFlock(fd uintptr, cmd int, lk *Flock_t) error — darwin/amd64, linux/amd64

+ func Mlock(b []byte) (err error) — darwin/amd64

+ func Mlockall(flags int) (err error) — darwin/amd64

+ func Mprotect(b []byte, prot int) (err error) — darwin/amd64

+ func Munlock(b []byte) (err error) — darwin/amd64

+ func Munlockall() (err error) — darwin/amd64

+ func NewCallbackCDecl(fn interface{}) uintptr — windows/amd64

+ func SendmsgN(fd int, p, oob []byte, to Sockaddr, flags int) (n int, err error) — darwin/amd64, linux/amd64

type Errno — windows/amd64

+ const ERROR_MORE_DATA

+ type Flock_t struct — linux/amd64

+ Len int64

+ Pad_cgo_0 [4]byte

+ Pad_cgo_1 [4]byte

+ Pid int32

+ Start int64

+ Type int16

+ Whence int16

+ type TCPKeepalive struct — windows/amd64

+ Interval uint32

+ OnOff uint32

+ Time uint32

go1.3rc2

Jun 13, 2014 GO-2021-0163GO-2022-0220GO-2022-0289GO-2022-0493GO-2022-1095

GO-2021-0163: Untrusted search path vulnerability on Windows related to LoadLibrary allows local users to gain privileges via a malicious DLL in the current working directory.

GO-2022-0220: Go on Windows misused certain LoadLibrary functionality, leading to DLL injection.

GO-2022-0289: When a Go program running on a Unix system is out of file descriptors and calls syscall.ForkExec (including indirectly by using the os/exec package), syscall.ForkExec can close file descriptor 0 as it fails. If this happens (or can be provoked) repeatedly, it can result in misdirected I/O such as writing network traffic intended for one connection to a different connection, or content intended for one file to a different one. For users who cannot immediately update to the new release, the bug can be mitigated by raising the per-process file descriptor limit.

GO-2022-0493: When called with a non-zero flags parameter, the Faccessat function can incorrectly report that a file is accessible.

GO-2022-1095: Due to unsanitized NUL values, attackers may be able to maliciously set environment variables on Windows. In syscall.StartProcess and os/exec.Cmd, invalid environment variable values containing NUL values are not properly checked for. A malicious environment variable value can exploit this behavior to set a value for a different environment variable. For example, the environment variable string "A=B\x00C=D" sets the variables "A=B" and "C=D".

go1.3rc1

Jun 2, 2014 GO-2021-0163GO-2022-0220GO-2022-0289GO-2022-0493GO-2022-1095

GO-2021-0163: Untrusted search path vulnerability on Windows related to LoadLibrary allows local users to gain privileges via a malicious DLL in the current working directory.

GO-2022-0220: Go on Windows misused certain LoadLibrary functionality, leading to DLL injection.

GO-2022-0289: When a Go program running on a Unix system is out of file descriptors and calls syscall.ForkExec (including indirectly by using the os/exec package), syscall.ForkExec can close file descriptor 0 as it fails. If this happens (or can be provoked) repeatedly, it can result in misdirected I/O such as writing network traffic intended for one connection to a different connection, or content intended for one file to a different one. For users who cannot immediately update to the new release, the bug can be mitigated by raising the per-process file descriptor limit.

GO-2022-0493: When called with a non-zero flags parameter, the Faccessat function can incorrectly report that a file is accessible.

GO-2022-1095: Due to unsanitized NUL values, attackers may be able to maliciously set environment variables on Windows. In syscall.StartProcess and os/exec.Cmd, invalid environment variable values containing NUL values are not properly checked for. A malicious environment variable value can exploit this behavior to set a value for a different environment variable. For example, the environment variable string "A=B\x00C=D" sets the variables "A=B" and "C=D".

go1.3beta2

May 21, 2014 GO-2021-0163GO-2022-0220GO-2022-0289GO-2022-0493GO-2022-1095

GO-2021-0163: Untrusted search path vulnerability on Windows related to LoadLibrary allows local users to gain privileges via a malicious DLL in the current working directory.

GO-2022-0220: Go on Windows misused certain LoadLibrary functionality, leading to DLL injection.

GO-2022-0289: When a Go program running on a Unix system is out of file descriptors and calls syscall.ForkExec (including indirectly by using the os/exec package), syscall.ForkExec can close file descriptor 0 as it fails. If this happens (or can be provoked) repeatedly, it can result in misdirected I/O such as writing network traffic intended for one connection to a different connection, or content intended for one file to a different one. For users who cannot immediately update to the new release, the bug can be mitigated by raising the per-process file descriptor limit.

GO-2022-0493: When called with a non-zero flags parameter, the Faccessat function can incorrectly report that a file is accessible.

GO-2022-1095: Due to unsanitized NUL values, attackers may be able to maliciously set environment variables on Windows. In syscall.StartProcess and os/exec.Cmd, invalid environment variable values containing NUL values are not properly checked for. A malicious environment variable value can exploit this behavior to set a value for a different environment variable. For example, the environment variable string "A=B\x00C=D" sets the variables "A=B" and "C=D".

go1.3beta1

Apr 22, 2014 GO-2021-0163GO-2022-0220GO-2022-0289GO-2022-0493GO-2022-1095

GO-2021-0163: Untrusted search path vulnerability on Windows related to LoadLibrary allows local users to gain privileges via a malicious DLL in the current working directory.

GO-2022-0220: Go on Windows misused certain LoadLibrary functionality, leading to DLL injection.

GO-2022-0289: When a Go program running on a Unix system is out of file descriptors and calls syscall.ForkExec (including indirectly by using the os/exec package), syscall.ForkExec can close file descriptor 0 as it fails. If this happens (or can be provoked) repeatedly, it can result in misdirected I/O such as writing network traffic intended for one connection to a different connection, or content intended for one file to a different one. For users who cannot immediately update to the new release, the bug can be mitigated by raising the per-process file descriptor limit.

GO-2022-0493: When called with a non-zero flags parameter, the Faccessat function can incorrectly report that a file is accessible.

GO-2022-1095: Due to unsanitized NUL values, attackers may be able to maliciously set environment variables on Windows. In syscall.StartProcess and os/exec.Cmd, invalid environment variable values containing NUL values are not properly checked for. A malicious environment variable value can exploit this behavior to set a value for a different environment variable. For example, the environment variable string "A=B\x00C=D" sets the variables "A=B" and "C=D".

go1.2.2

May 5, 2014 GO-2021-0163GO-2022-0220GO-2022-0289GO-2022-0493GO-2022-1095

GO-2021-0163: Untrusted search path vulnerability on Windows related to LoadLibrary allows local users to gain privileges via a malicious DLL in the current working directory.

GO-2022-0220: Go on Windows misused certain LoadLibrary functionality, leading to DLL injection.

GO-2022-0289: When a Go program running on a Unix system is out of file descriptors and calls syscall.ForkExec (including indirectly by using the os/exec package), syscall.ForkExec can close file descriptor 0 as it fails. If this happens (or can be provoked) repeatedly, it can result in misdirected I/O such as writing network traffic intended for one connection to a different connection, or content intended for one file to a different one. For users who cannot immediately update to the new release, the bug can be mitigated by raising the per-process file descriptor limit.

GO-2022-0493: When called with a non-zero flags parameter, the Faccessat function can incorrectly report that a file is accessible.

GO-2022-1095: Due to unsanitized NUL values, attackers may be able to maliciously set environment variables on Windows. In syscall.StartProcess and os/exec.Cmd, invalid environment variable values containing NUL values are not properly checked for. A malicious environment variable value can exploit this behavior to set a value for a different environment variable. For example, the environment variable string "A=B\x00C=D" sets the variables "A=B" and "C=D".

go1.2.1

Mar 3, 2014 GO-2021-0163GO-2022-0220GO-2022-0289GO-2022-0493GO-2022-1095

GO-2021-0163: Untrusted search path vulnerability on Windows related to LoadLibrary allows local users to gain privileges via a malicious DLL in the current working directory.

GO-2022-0220: Go on Windows misused certain LoadLibrary functionality, leading to DLL injection.

GO-2022-0289: When a Go program running on a Unix system is out of file descriptors and calls syscall.ForkExec (including indirectly by using the os/exec package), syscall.ForkExec can close file descriptor 0 as it fails. If this happens (or can be provoked) repeatedly, it can result in misdirected I/O such as writing network traffic intended for one connection to a different connection, or content intended for one file to a different one. For users who cannot immediately update to the new release, the bug can be mitigated by raising the per-process file descriptor limit.

GO-2022-0493: When called with a non-zero flags parameter, the Faccessat function can incorrectly report that a file is accessible.

GO-2022-1095: Due to unsanitized NUL values, attackers may be able to maliciously set environment variables on Windows. In syscall.StartProcess and os/exec.Cmd, invalid environment variable values containing NUL values are not properly checked for. A malicious environment variable value can exploit this behavior to set a value for a different environment variable. For example, the environment variable string "A=B\x00C=D" sets the variables "A=B" and "C=D".

Changes in this version

type Errno — windows/amd64

+ const ERROR_NETNAME_DELETED

+ const WSAECONNRESET

go1.2

Nov 28, 2013 GO-2021-0163GO-2022-0220GO-2022-0289GO-2022-0493GO-2022-1095

GO-2021-0163: Untrusted search path vulnerability on Windows related to LoadLibrary allows local users to gain privileges via a malicious DLL in the current working directory.

GO-2022-0220: Go on Windows misused certain LoadLibrary functionality, leading to DLL injection.

GO-2022-0289: When a Go program running on a Unix system is out of file descriptors and calls syscall.ForkExec (including indirectly by using the os/exec package), syscall.ForkExec can close file descriptor 0 as it fails. If this happens (or can be provoked) repeatedly, it can result in misdirected I/O such as writing network traffic intended for one connection to a different connection, or content intended for one file to a different one. For users who cannot immediately update to the new release, the bug can be mitigated by raising the per-process file descriptor limit.

GO-2022-0493: When called with a non-zero flags parameter, the Faccessat function can incorrectly report that a file is accessible.

GO-2022-1095: Due to unsanitized NUL values, attackers may be able to maliciously set environment variables on Windows. In syscall.StartProcess and os/exec.Cmd, invalid environment variable values containing NUL values are not properly checked for. A malicious environment variable value can exploit this behavior to set a value for a different environment variable. For example, the environment variable string "A=B\x00C=D" sets the variables "A=B" and "C=D".

Changes in this version

+ const BASE_PROTOCOL — windows/amd64

+ const CLONE_CHILD_CLEARTID — linux/amd64

+ const CLONE_CHILD_SETTID — linux/amd64

+ const CLONE_DETACHED — linux/amd64

+ const CLONE_FILES — linux/amd64

+ const CLONE_FS — linux/amd64

+ const CLONE_IO — linux/amd64

+ const CLONE_NEWIPC — linux/amd64

+ const CLONE_NEWNET — linux/amd64

+ const CLONE_NEWNS — linux/amd64

+ const CLONE_NEWPID — linux/amd64

+ const CLONE_NEWUSER — linux/amd64

+ const CLONE_NEWUTS — linux/amd64

+ const CLONE_PARENT — linux/amd64

+ const CLONE_PARENT_SETTID — linux/amd64

+ const CLONE_PTRACE — linux/amd64

+ const CLONE_SETTLS — linux/amd64

+ const CLONE_SIGHAND — linux/amd64

+ const CLONE_SYSVSEM — linux/amd64

+ const CLONE_THREAD — linux/amd64

+ const CLONE_UNTRACED — linux/amd64

+ const CLONE_VFORK — linux/amd64

+ const CLONE_VM — linux/amd64

+ const FILE_SKIP_COMPLETION_PORT_ON_SUCCESS — windows/amd64

+ const FILE_SKIP_SET_EVENT_ON_HANDLE — windows/amd64

+ const ICMP6_FILTER — darwin/amd64

+ const ICMPV6_FILTER — linux/amd64

+ const LAYERED_PROTOCOL — windows/amd64

+ const MAX_PROTOCOL_CHAIN — windows/amd64

+ const NetSetupDomainName — windows/amd64

+ const NetSetupUnjoined — windows/amd64

+ const NetSetupUnknownStatus — windows/amd64

+ const NetSetupWorkgroupName — windows/amd64

+ const PFL_HIDDEN — windows/amd64

+ const PFL_MATCHES_PROTOCOL_ZERO — windows/amd64

+ const PFL_MULTIPLE_PROTO_ENTRIES — windows/amd64

+ const PFL_NETWORKDIRECT_PROVIDER — windows/amd64

+ const PFL_RECOMMENDED_PROTO_ENTRY — windows/amd64

+ const PRIO_PGRP — darwin/amd64, linux/amd64

+ const PRIO_PROCESS — darwin/amd64, linux/amd64

+ const PRIO_USER — darwin/amd64, linux/amd64

+ const PROCESS_TERMINATE — windows/amd64

+ const SizeofICMPv6Filter — darwin/amd64, linux/amd64

+ const SizeofIPv6MTUInfo — darwin/amd64, linux/amd64

+ const TCIFLUSH — linux/amd64

+ const TCIOFLUSH — linux/amd64

+ const TCOFLUSH — linux/amd64

+ const WSAPROTOCOL_LEN — windows/amd64

+ const XP1_CONNECTIONLESS — windows/amd64

+ const XP1_CONNECT_DATA — windows/amd64

+ const XP1_DISCONNECT_DATA — windows/amd64

+ const XP1_EXPEDITED_DATA — windows/amd64

+ const XP1_GRACEFUL_CLOSE — windows/amd64

+ const XP1_GUARANTEED_DELIVERY — windows/amd64

+ const XP1_GUARANTEED_ORDER — windows/amd64

+ const XP1_IFS_HANDLES — windows/amd64

+ const XP1_MESSAGE_ORIENTED — windows/amd64

+ const XP1_MULTIPOINT_CONTROL_PLANE — windows/amd64

+ const XP1_MULTIPOINT_DATA_PLANE — windows/amd64

+ const XP1_PARTIAL_MESSAGE — windows/amd64

+ const XP1_PSEUDO_STREAM — windows/amd64

+ const XP1_QOS_SUPPORTED — windows/amd64

+ const XP1_SAN_SUPPORT_SDP — windows/amd64

+ const XP1_SUPPORT_BROADCAST — windows/amd64

+ const XP1_SUPPORT_MULTIPOINT — windows/amd64

+ const XP1_UNI_RECV — windows/amd64

+ const XP1_UNI_SEND — windows/amd64

+ func Dup3(oldfd int, newfd int, flags int) (err error) — linux/amd64

+ func Getpriority(which int, who int) (prio int, err error) — linux/amd64

+ func LoadSetFileCompletionNotificationModes() error — windows/amd64

+ func NetGetJoinInformation(server *uint16, name **uint16, bufType *uint32) (neterr error) — windows/amd64

+ func SetFileCompletionNotificationModes(handle Handle, flags uint8) (err error) — windows/amd64

+ func Setpriority(which int, who int, prio int) (err error) — linux/amd64

+ func SetsockoptByte(fd, level, opt int, value byte) (err error) — linux/amd64

+ func SetsockoptICMPv6Filter(fd, level, opt int, filter *ICMPv6Filter) error — darwin/amd64, linux/amd64

+ func WSAEnumProtocols(protocols *int32, protocolBuffer *WSAProtocolInfo, bufferLength *uint32) (n int32, err error) — windows/amd64

type Errno — darwin/amd64

+ func Syscall9(num, a1, a2, a3, a4, a5, a6, a7, a8, a9 uintptr) (r1, r2 uintptr, err Errno)

type Errno — windows/amd64

+ const ERROR_HANDLE_EOF

+ const WSAEACCES

+ type ICMPv6Filter struct — darwin/amd64, linux/amd64

+ Data [8]uint32

+ Filt [8]uint32

+ func GetsockoptICMPv6Filter(fd, level, opt int) (*ICMPv6Filter, error)

+ type IPv6MTUInfo struct — darwin/amd64, linux/amd64

+ Addr RawSockaddrInet6

+ Mtu uint32

+ func GetsockoptIPv6MTUInfo(fd, level, opt int) (*IPv6MTUInfo, error)

type SysProcAttr — linux/amd64

+ Cloneflags uintptr

+ type WSAProtocolChain struct — windows/amd64

+ ChainEntries [MAX_PROTOCOL_CHAIN]uint32

+ ChainLen int32

+ type WSAProtocolInfo struct — windows/amd64

+ AddressFamily int32

+ CatalogEntryId uint32

+ MaxSockAddr int32

+ MessageSize uint32

+ MinSockAddr int32

+ NetworkByteOrder int32

+ Protocol int32

+ ProtocolChain WSAProtocolChain

+ ProtocolMaxOffset int32

+ ProtocolName [WSAPROTOCOL_LEN + 1]uint16

+ ProviderFlags uint32

+ ProviderId GUID

+ ProviderReserved uint32

+ SecurityScheme int32

+ ServiceFlags1 uint32

+ ServiceFlags2 uint32

+ ServiceFlags3 uint32

+ ServiceFlags4 uint32

+ SocketType int32

+ Version int32

go1.2rc5

Nov 18, 2013 GO-2021-0163GO-2022-0220GO-2022-0289GO-2022-0493GO-2022-1095

GO-2021-0163: Untrusted search path vulnerability on Windows related to LoadLibrary allows local users to gain privileges via a malicious DLL in the current working directory.

GO-2022-0220: Go on Windows misused certain LoadLibrary functionality, leading to DLL injection.

GO-2022-0289: When a Go program running on a Unix system is out of file descriptors and calls syscall.ForkExec (including indirectly by using the os/exec package), syscall.ForkExec can close file descriptor 0 as it fails. If this happens (or can be provoked) repeatedly, it can result in misdirected I/O such as writing network traffic intended for one connection to a different connection, or content intended for one file to a different one. For users who cannot immediately update to the new release, the bug can be mitigated by raising the per-process file descriptor limit.

GO-2022-0493: When called with a non-zero flags parameter, the Faccessat function can incorrectly report that a file is accessible.

GO-2022-1095: Due to unsanitized NUL values, attackers may be able to maliciously set environment variables on Windows. In syscall.StartProcess and os/exec.Cmd, invalid environment variable values containing NUL values are not properly checked for. A malicious environment variable value can exploit this behavior to set a value for a different environment variable. For example, the environment variable string "A=B\x00C=D" sets the variables "A=B" and "C=D".

go1.2rc4

Nov 13, 2013 GO-2021-0163GO-2022-0220GO-2022-0289GO-2022-0493GO-2022-1095

GO-2021-0163: Untrusted search path vulnerability on Windows related to LoadLibrary allows local users to gain privileges via a malicious DLL in the current working directory.

GO-2022-0220: Go on Windows misused certain LoadLibrary functionality, leading to DLL injection.

GO-2022-0289: When a Go program running on a Unix system is out of file descriptors and calls syscall.ForkExec (including indirectly by using the os/exec package), syscall.ForkExec can close file descriptor 0 as it fails. If this happens (or can be provoked) repeatedly, it can result in misdirected I/O such as writing network traffic intended for one connection to a different connection, or content intended for one file to a different one. For users who cannot immediately update to the new release, the bug can be mitigated by raising the per-process file descriptor limit.

GO-2022-0493: When called with a non-zero flags parameter, the Faccessat function can incorrectly report that a file is accessible.

GO-2022-1095: Due to unsanitized NUL values, attackers may be able to maliciously set environment variables on Windows. In syscall.StartProcess and os/exec.Cmd, invalid environment variable values containing NUL values are not properly checked for. A malicious environment variable value can exploit this behavior to set a value for a different environment variable. For example, the environment variable string "A=B\x00C=D" sets the variables "A=B" and "C=D".

go1.2rc3

Nov 1, 2013 GO-2021-0163GO-2022-0220GO-2022-0289GO-2022-0493GO-2022-1095

GO-2021-0163: Untrusted search path vulnerability on Windows related to LoadLibrary allows local users to gain privileges via a malicious DLL in the current working directory.

GO-2022-0220: Go on Windows misused certain LoadLibrary functionality, leading to DLL injection.

GO-2022-0289: When a Go program running on a Unix system is out of file descriptors and calls syscall.ForkExec (including indirectly by using the os/exec package), syscall.ForkExec can close file descriptor 0 as it fails. If this happens (or can be provoked) repeatedly, it can result in misdirected I/O such as writing network traffic intended for one connection to a different connection, or content intended for one file to a different one. For users who cannot immediately update to the new release, the bug can be mitigated by raising the per-process file descriptor limit.

GO-2022-0493: When called with a non-zero flags parameter, the Faccessat function can incorrectly report that a file is accessible.

GO-2022-1095: Due to unsanitized NUL values, attackers may be able to maliciously set environment variables on Windows. In syscall.StartProcess and os/exec.Cmd, invalid environment variable values containing NUL values are not properly checked for. A malicious environment variable value can exploit this behavior to set a value for a different environment variable. For example, the environment variable string "A=B\x00C=D" sets the variables "A=B" and "C=D".

go1.2rc2

Oct 18, 2013 GO-2021-0163GO-2022-0220GO-2022-0289GO-2022-0493GO-2022-1095

GO-2021-0163: Untrusted search path vulnerability on Windows related to LoadLibrary allows local users to gain privileges via a malicious DLL in the current working directory.

GO-2022-0220: Go on Windows misused certain LoadLibrary functionality, leading to DLL injection.

GO-2022-0289: When a Go program running on a Unix system is out of file descriptors and calls syscall.ForkExec (including indirectly by using the os/exec package), syscall.ForkExec can close file descriptor 0 as it fails. If this happens (or can be provoked) repeatedly, it can result in misdirected I/O such as writing network traffic intended for one connection to a different connection, or content intended for one file to a different one. For users who cannot immediately update to the new release, the bug can be mitigated by raising the per-process file descriptor limit.

GO-2022-0493: When called with a non-zero flags parameter, the Faccessat function can incorrectly report that a file is accessible.

GO-2022-1095: Due to unsanitized NUL values, attackers may be able to maliciously set environment variables on Windows. In syscall.StartProcess and os/exec.Cmd, invalid environment variable values containing NUL values are not properly checked for. A malicious environment variable value can exploit this behavior to set a value for a different environment variable. For example, the environment variable string "A=B\x00C=D" sets the variables "A=B" and "C=D".

go1.1.2

Aug 13, 2013 GO-2021-0163GO-2022-0220GO-2022-0289GO-2022-0493GO-2022-1095

GO-2021-0163: Untrusted search path vulnerability on Windows related to LoadLibrary allows local users to gain privileges via a malicious DLL in the current working directory.

GO-2022-0220: Go on Windows misused certain LoadLibrary functionality, leading to DLL injection.

GO-2022-0289: When a Go program running on a Unix system is out of file descriptors and calls syscall.ForkExec (including indirectly by using the os/exec package), syscall.ForkExec can close file descriptor 0 as it fails. If this happens (or can be provoked) repeatedly, it can result in misdirected I/O such as writing network traffic intended for one connection to a different connection, or content intended for one file to a different one. For users who cannot immediately update to the new release, the bug can be mitigated by raising the per-process file descriptor limit.

GO-2022-0493: When called with a non-zero flags parameter, the Faccessat function can incorrectly report that a file is accessible.

GO-2022-1095: Due to unsanitized NUL values, attackers may be able to maliciously set environment variables on Windows. In syscall.StartProcess and os/exec.Cmd, invalid environment variable values containing NUL values are not properly checked for. A malicious environment variable value can exploit this behavior to set a value for a different environment variable. For example, the environment variable string "A=B\x00C=D" sets the variables "A=B" and "C=D".

go1.1.1

Jun 13, 2013 GO-2021-0163GO-2022-0220GO-2022-0289GO-2022-0493GO-2022-1095

GO-2021-0163: Untrusted search path vulnerability on Windows related to LoadLibrary allows local users to gain privileges via a malicious DLL in the current working directory.

GO-2022-0220: Go on Windows misused certain LoadLibrary functionality, leading to DLL injection.

GO-2022-0289: When a Go program running on a Unix system is out of file descriptors and calls syscall.ForkExec (including indirectly by using the os/exec package), syscall.ForkExec can close file descriptor 0 as it fails. If this happens (or can be provoked) repeatedly, it can result in misdirected I/O such as writing network traffic intended for one connection to a different connection, or content intended for one file to a different one. For users who cannot immediately update to the new release, the bug can be mitigated by raising the per-process file descriptor limit.

GO-2022-0493: When called with a non-zero flags parameter, the Faccessat function can incorrectly report that a file is accessible.

GO-2022-1095: Due to unsanitized NUL values, attackers may be able to maliciously set environment variables on Windows. In syscall.StartProcess and os/exec.Cmd, invalid environment variable values containing NUL values are not properly checked for. A malicious environment variable value can exploit this behavior to set a value for a different environment variable. For example, the environment variable string "A=B\x00C=D" sets the variables "A=B" and "C=D".

go1.1

May 13, 2013 GO-2021-0163GO-2022-0220GO-2022-0289GO-2022-0493GO-2022-1095

GO-2021-0163: Untrusted search path vulnerability on Windows related to LoadLibrary allows local users to gain privileges via a malicious DLL in the current working directory.

GO-2022-0220: Go on Windows misused certain LoadLibrary functionality, leading to DLL injection.

GO-2022-0289: When a Go program running on a Unix system is out of file descriptors and calls syscall.ForkExec (including indirectly by using the os/exec package), syscall.ForkExec can close file descriptor 0 as it fails. If this happens (or can be provoked) repeatedly, it can result in misdirected I/O such as writing network traffic intended for one connection to a different connection, or content intended for one file to a different one. For users who cannot immediately update to the new release, the bug can be mitigated by raising the per-process file descriptor limit.

GO-2022-0493: When called with a non-zero flags parameter, the Faccessat function can incorrectly report that a file is accessible.

GO-2022-1095: Due to unsanitized NUL values, attackers may be able to maliciously set environment variables on Windows. In syscall.StartProcess and os/exec.Cmd, invalid environment variable values containing NUL values are not properly checked for. A malicious environment variable value can exploit this behavior to set a value for a different environment variable. For example, the environment variable string "A=B\x00C=D" sets the variables "A=B" and "C=D".

Changes in this version

+ const AI_CANONNAME — windows/amd64

+ const AI_NUMERICHOST — windows/amd64

+ const AI_PASSIVE — windows/amd64

+ const B0 — darwin/amd64

+ const B110 — darwin/amd64

+ const B115200 — darwin/amd64

+ const B1200 — darwin/amd64

+ const B134 — darwin/amd64

+ const B14400 — darwin/amd64

+ const B150 — darwin/amd64

+ const B1800 — darwin/amd64

+ const B19200 — darwin/amd64

+ const B200 — darwin/amd64

+ const B230400 — darwin/amd64

+ const B2400 — darwin/amd64

+ const B28800 — darwin/amd64

+ const B300 — darwin/amd64

+ const B38400 — darwin/amd64

+ const B4800 — darwin/amd64

+ const B50 — darwin/amd64

+ const B57600 — darwin/amd64

+ const B600 — darwin/amd64

+ const B7200 — darwin/amd64

+ const B75 — darwin/amd64

+ const B76800 — darwin/amd64

+ const B9600 — darwin/amd64

+ const BRKINT — darwin/amd64

+ const CFLUSH — darwin/amd64

+ const CLOCAL — darwin/amd64

+ const CREAD — darwin/amd64

+ const CREATE_NEW_PROCESS_GROUP — windows/amd64

+ const CS5 — darwin/amd64

+ const CS6 — darwin/amd64

+ const CS7 — darwin/amd64

+ const CS8 — darwin/amd64

+ const CSIZE — darwin/amd64

+ const CSTART — darwin/amd64

+ const CSTATUS — darwin/amd64

+ const CSTOP — darwin/amd64

+ const CSTOPB — darwin/amd64

+ const CSUSP — darwin/amd64

+ const CTRL_BREAK_EVENT — windows/amd64

+ const CTRL_C_EVENT — windows/amd64

+ const FLUSHO — darwin/amd64

+ const HUPCL — darwin/amd64

+ const ICANON — darwin/amd64

+ const ICRNL — darwin/amd64

+ const IEXTEN — darwin/amd64

+ const IGNBRK — darwin/amd64

+ const IGNCR — darwin/amd64

+ const IGNPAR — darwin/amd64

+ const IMAXBEL — darwin/amd64

+ const INLCR — darwin/amd64

+ const INPCK — darwin/amd64

+ const IOC_IN — windows/amd64

+ const IOC_INOUT — windows/amd64

+ const IOC_OUT — windows/amd64

+ const IOC_WS2 — windows/amd64

+ const ISIG — darwin/amd64

+ const ISTRIP — darwin/amd64

+ const IUTF8 — darwin/amd64

+ const IXANY — darwin/amd64

+ const IXOFF — darwin/amd64

+ const IXON — darwin/amd64

+ const MSG_FASTOPEN — linux/amd64

+ const NOFLSH — darwin/amd64

+ const OCRNL — darwin/amd64

+ const OFDEL — darwin/amd64

+ const OFILL — darwin/amd64

+ const ONLCR — darwin/amd64

+ const ONLRET — darwin/amd64

+ const ONOCR — darwin/amd64

+ const ONOEOT — darwin/amd64

+ const OPOST — darwin/amd64

+ const PARENB — darwin/amd64

+ const PARMRK — darwin/amd64

+ const PARODD — darwin/amd64

+ const PENDIN — darwin/amd64

+ const RTNLGRP_IPV4_IFADDR — linux/amd64

+ const RTNLGRP_IPV4_MROUTE — linux/amd64

+ const RTNLGRP_IPV4_ROUTE — linux/amd64

+ const RTNLGRP_IPV4_RULE — linux/amd64

+ const RTNLGRP_IPV6_IFADDR — linux/amd64

+ const RTNLGRP_IPV6_IFINFO — linux/amd64

+ const RTNLGRP_IPV6_MROUTE — linux/amd64

+ const RTNLGRP_IPV6_PREFIX — linux/amd64

+ const RTNLGRP_IPV6_ROUTE — linux/amd64

+ const RTNLGRP_IPV6_RULE — linux/amd64

+ const RTNLGRP_LINK — linux/amd64

+ const RTNLGRP_ND_USEROPT — linux/amd64

+ const RTNLGRP_NEIGH — linux/amd64

+ const RTNLGRP_NONE — linux/amd64

+ const RTNLGRP_NOTIFY — linux/amd64

+ const RTNLGRP_TC — linux/amd64

+ const SIO_GET_EXTENSION_FUNCTION_POINTER — windows/amd64

+ const SO_UPDATE_CONNECT_CONTEXT — windows/amd64

+ const SizeofInet4Pktinfo — darwin/amd64

+ const SizeofTCPInfo — linux/amd64

+ const TCIFLUSH — darwin/amd64

+ const TCIOFLUSH — darwin/amd64

+ const TCOFLUSH — darwin/amd64

+ const TCSAFLUSH — darwin/amd64

+ const TOSTOP — darwin/amd64

+ const VDISCARD — darwin/amd64

+ const VDSUSP — darwin/amd64

+ const VEOF — darwin/amd64

+ const VEOL — darwin/amd64

+ const VEOL2 — darwin/amd64

+ const VERASE — darwin/amd64

+ const VINTR — darwin/amd64

+ const VKILL — darwin/amd64

+ const VLNEXT — darwin/amd64

+ const VMIN — darwin/amd64

+ const VQUIT — darwin/amd64

+ const VREPRINT — darwin/amd64

+ const VSTART — darwin/amd64

+ const VSTATUS — darwin/amd64

+ const VSTOP — darwin/amd64

+ const VSUSP — darwin/amd64

+ const VT0 — darwin/amd64

+ const VT1 — darwin/amd64

+ const VTDLY — darwin/amd64

+ const VTIME — darwin/amd64

+ const VWERASE — darwin/amd64

+ var WSAID_CONNECTEX = GUID — windows/amd64

+ func BytePtrFromString(s string) (*byte, error)

+ func ByteSliceFromString(s string) ([]byte, error)

+ func CancelIoEx(s Handle, o *Overlapped) (err error) — windows/amd64

+ func ConnectEx(fd Handle, sa Sockaddr, sendBuf *byte, sendDataLen uint32, bytesSent *uint32, ...) error — windows/amd64

+ func FreeAddrInfoW(addrinfo *AddrinfoW) — windows/amd64

+ func GetAddrInfoW(nodename *uint16, servicename *uint16, hints *AddrinfoW, result **AddrinfoW) (sockerr error) — windows/amd64

+ func GetConsoleMode(console Handle, mode *uint32) (err error) — windows/amd64

+ func Getsockopt(s Handle, level int32, optname int32, optval *byte, optlen *int32) (err error) — windows/amd64

+ func Getxattr(path string, attr string, dest []byte) (sz int, err error) — linux/amd64

+ func Listxattr(path string, dest []byte) (sz int, err error) — linux/amd64

+ func LoadCancelIoEx() error — windows/amd64

+ func LoadConnectEx() error — windows/amd64

+ func LoadGetAddrInfo() error — windows/amd64

+ func Pipe2(p []int, flags int) (err error) — linux/amd64

+ func PtraceSyscall(pid int, signal int) (err error) — linux/amd64

+ func ReadConsole(console Handle, buf *uint16, toread uint32, read *uint32, inputControl *byte) (err error) — windows/amd64

+ func Removexattr(path string, attr string) (err error) — linux/amd64

+ func Setxattr(path string, attr string, data []byte, flags int) (err error) — linux/amd64

+ func SlicePtrFromStrings(ss []string) ([]*byte, error) — darwin/amd64, linux/amd64

+ func TimespecToNsec(ts Timespec) int64 — windows/amd64

+ func UTF16FromString(s string) ([]uint16, error) — windows/amd64

+ func UTF16PtrFromString(s string) (*uint16, error) — windows/amd64

+ func UtimesNano(path string, ts []Timespec) (err error) — linux/amd64, windows/amd64

+ func UtimesNano(path string, ts []Timespec) error — darwin/amd64

+ func WriteConsole(console Handle, buf *uint16, towrite uint32, written *uint32, reserved *byte) (err error) — windows/amd64

+ type AddrinfoW struct — windows/amd64

+ Addr uintptr

+ Addrlen uintptr

+ Canonname *uint16

+ Family int32

+ Flags int32

+ Next *AddrinfoW

+ Protocol int32

+ Socktype int32

type Errno — windows/amd64

+ const ERROR_NOT_FOUND

+ type GUID struct — windows/amd64

+ Data1 uint32

+ Data2 uint16

+ Data3 uint16

+ Data4 [8]byte

+ type Inet4Pktinfo struct — darwin/amd64

+ Addr [4]byte

+ Ifindex uint32

+ Spec_dst [4]byte

+ type RawSockaddrInet6 struct — windows/amd64

+ Addr [16]byte

+ Family uint16

+ Flowinfo uint32

+ Port uint16

+ Scope_id uint32

type Sockaddr — linux/amd64

+ func Accept4(fd int, flags int) (nfd int, sa Sockaddr, err error)

type SysProcAttr — linux/amd64

+ Ctty int

type SysProcAttr — windows/amd64

+ CreationFlags uint32

+ type TCPInfo struct — linux/amd64

+ Advmss uint32

+ Ato uint32

+ Backoff uint8

+ Ca_state uint8

+ Fackets uint32

+ Last_ack_recv uint32

+ Last_ack_sent uint32

+ Last_data_recv uint32

+ Last_data_sent uint32

+ Lost uint32

+ Options uint8

+ Pad_cgo_0 [2]byte

+ Pmtu uint32

+ Probes uint8

+ Rcv_mss uint32

+ Rcv_rtt uint32

+ Rcv_space uint32

+ Rcv_ssthresh uint32

+ Reordering uint32

+ Retrans uint32

+ Retransmits uint8

+ Rto uint32

+ Rtt uint32

+ Rttvar uint32

+ Sacked uint32

+ Snd_cwnd uint32

+ Snd_mss uint32

+ Snd_ssthresh uint32

+ State uint8

+ Total_retrans uint32

+ Unacked uint32

+ type Termios struct — darwin/amd64

+ Cc [20]uint8

+ Cflag uint64

+ Iflag uint64

+ Ispeed uint64

+ Lflag uint64

+ Oflag uint64

+ Ospeed uint64

+ Pad_cgo_0 [4]byte

type Timespec — windows/amd64

+ func NsecToTimespec(nsec int64) (ts Timespec)

type Ucred — linux/amd64

+ func GetsockoptUcred(fd, level, opt int) (*Ucred, error)

go1.1rc3

May 8, 2013 GO-2021-0163GO-2022-0220GO-2022-0289GO-2022-0493GO-2022-1095

GO-2021-0163: Untrusted search path vulnerability on Windows related to LoadLibrary allows local users to gain privileges via a malicious DLL in the current working directory.

GO-2022-0220: Go on Windows misused certain LoadLibrary functionality, leading to DLL injection.

GO-2022-0289: When a Go program running on a Unix system is out of file descriptors and calls syscall.ForkExec (including indirectly by using the os/exec package), syscall.ForkExec can close file descriptor 0 as it fails. If this happens (or can be provoked) repeatedly, it can result in misdirected I/O such as writing network traffic intended for one connection to a different connection, or content intended for one file to a different one. For users who cannot immediately update to the new release, the bug can be mitigated by raising the per-process file descriptor limit.

GO-2022-0493: When called with a non-zero flags parameter, the Faccessat function can incorrectly report that a file is accessible.

GO-2022-1095: Due to unsanitized NUL values, attackers may be able to maliciously set environment variables on Windows. In syscall.StartProcess and os/exec.Cmd, invalid environment variable values containing NUL values are not properly checked for. A malicious environment variable value can exploit this behavior to set a value for a different environment variable. For example, the environment variable string "A=B\x00C=D" sets the variables "A=B" and "C=D".

go1.1rc2

May 7, 2013 GO-2021-0163GO-2022-0220GO-2022-0289GO-2022-0493GO-2022-1095

GO-2021-0163: Untrusted search path vulnerability on Windows related to LoadLibrary allows local users to gain privileges via a malicious DLL in the current working directory.

GO-2022-0220: Go on Windows misused certain LoadLibrary functionality, leading to DLL injection.

GO-2022-0289: When a Go program running on a Unix system is out of file descriptors and calls syscall.ForkExec (including indirectly by using the os/exec package), syscall.ForkExec can close file descriptor 0 as it fails. If this happens (or can be provoked) repeatedly, it can result in misdirected I/O such as writing network traffic intended for one connection to a different connection, or content intended for one file to a different one. For users who cannot immediately update to the new release, the bug can be mitigated by raising the per-process file descriptor limit.

GO-2022-0493: When called with a non-zero flags parameter, the Faccessat function can incorrectly report that a file is accessible.

GO-2022-1095: Due to unsanitized NUL values, attackers may be able to maliciously set environment variables on Windows. In syscall.StartProcess and os/exec.Cmd, invalid environment variable values containing NUL values are not properly checked for. A malicious environment variable value can exploit this behavior to set a value for a different environment variable. For example, the environment variable string "A=B\x00C=D" sets the variables "A=B" and "C=D".

go1.0.3

Sep 21, 2012 GO-2021-0163GO-2022-0220GO-2022-0289GO-2022-0493GO-2022-1095

GO-2021-0163: Untrusted search path vulnerability on Windows related to LoadLibrary allows local users to gain privileges via a malicious DLL in the current working directory.

GO-2022-0220: Go on Windows misused certain LoadLibrary functionality, leading to DLL injection.

GO-2022-0289: When a Go program running on a Unix system is out of file descriptors and calls syscall.ForkExec (including indirectly by using the os/exec package), syscall.ForkExec can close file descriptor 0 as it fails. If this happens (or can be provoked) repeatedly, it can result in misdirected I/O such as writing network traffic intended for one connection to a different connection, or content intended for one file to a different one. For users who cannot immediately update to the new release, the bug can be mitigated by raising the per-process file descriptor limit.

GO-2022-0493: When called with a non-zero flags parameter, the Faccessat function can incorrectly report that a file is accessible.

GO-2022-1095: Due to unsanitized NUL values, attackers may be able to maliciously set environment variables on Windows. In syscall.StartProcess and os/exec.Cmd, invalid environment variable values containing NUL values are not properly checked for. A malicious environment variable value can exploit this behavior to set a value for a different environment variable. For example, the environment variable string "A=B\x00C=D" sets the variables "A=B" and "C=D".

go1.0.2

Jun 14, 2012 GO-2021-0163GO-2022-0220GO-2022-0289GO-2022-0493GO-2022-1095

GO-2021-0163: Untrusted search path vulnerability on Windows related to LoadLibrary allows local users to gain privileges via a malicious DLL in the current working directory.

GO-2022-0220: Go on Windows misused certain LoadLibrary functionality, leading to DLL injection.

GO-2022-0289: When a Go program running on a Unix system is out of file descriptors and calls syscall.ForkExec (including indirectly by using the os/exec package), syscall.ForkExec can close file descriptor 0 as it fails. If this happens (or can be provoked) repeatedly, it can result in misdirected I/O such as writing network traffic intended for one connection to a different connection, or content intended for one file to a different one. For users who cannot immediately update to the new release, the bug can be mitigated by raising the per-process file descriptor limit.

GO-2022-0493: When called with a non-zero flags parameter, the Faccessat function can incorrectly report that a file is accessible.

GO-2022-1095: Due to unsanitized NUL values, attackers may be able to maliciously set environment variables on Windows. In syscall.StartProcess and os/exec.Cmd, invalid environment variable values containing NUL values are not properly checked for. A malicious environment variable value can exploit this behavior to set a value for a different environment variable. For example, the environment variable string "A=B\x00C=D" sets the variables "A=B" and "C=D".

go1.0.1

Apr 26, 2012 GO-2021-0163GO-2022-0220GO-2022-0289GO-2022-0493GO-2022-1095

GO-2021-0163: Untrusted search path vulnerability on Windows related to LoadLibrary allows local users to gain privileges via a malicious DLL in the current working directory.

GO-2022-0220: Go on Windows misused certain LoadLibrary functionality, leading to DLL injection.

GO-2022-0289: When a Go program running on a Unix system is out of file descriptors and calls syscall.ForkExec (including indirectly by using the os/exec package), syscall.ForkExec can close file descriptor 0 as it fails. If this happens (or can be provoked) repeatedly, it can result in misdirected I/O such as writing network traffic intended for one connection to a different connection, or content intended for one file to a different one. For users who cannot immediately update to the new release, the bug can be mitigated by raising the per-process file descriptor limit.

GO-2022-0493: When called with a non-zero flags parameter, the Faccessat function can incorrectly report that a file is accessible.

GO-2022-1095: Due to unsanitized NUL values, attackers may be able to maliciously set environment variables on Windows. In syscall.StartProcess and os/exec.Cmd, invalid environment variable values containing NUL values are not properly checked for. A malicious environment variable value can exploit this behavior to set a value for a different environment variable. For example, the environment variable string "A=B\x00C=D" sets the variables "A=B" and "C=D".

go1

Mar 28, 2012 GO-2021-0163GO-2022-0220GO-2022-0289GO-2022-0493GO-2022-1095

GO-2021-0163: Untrusted search path vulnerability on Windows related to LoadLibrary allows local users to gain privileges via a malicious DLL in the current working directory.

GO-2022-0220: Go on Windows misused certain LoadLibrary functionality, leading to DLL injection.

GO-2022-0289: When a Go program running on a Unix system is out of file descriptors and calls syscall.ForkExec (including indirectly by using the os/exec package), syscall.ForkExec can close file descriptor 0 as it fails. If this happens (or can be provoked) repeatedly, it can result in misdirected I/O such as writing network traffic intended for one connection to a different connection, or content intended for one file to a different one. For users who cannot immediately update to the new release, the bug can be mitigated by raising the per-process file descriptor limit.

GO-2022-0493: When called with a non-zero flags parameter, the Faccessat function can incorrectly report that a file is accessible.

GO-2022-1095: Due to unsanitized NUL values, attackers may be able to maliciously set environment variables on Windows. In syscall.StartProcess and os/exec.Cmd, invalid environment variable values containing NUL values are not properly checked for. A malicious environment variable value can exploit this behavior to set a value for a different environment variable. For example, the environment variable string "A=B\x00C=D" sets the variables "A=B" and "C=D".

Changes in this version

+ const AF_ALG — linux/amd64

+ const AF_APPLETALK — darwin/amd64, linux/amd64

+ const AF_ASH — linux/amd64

+ const AF_ATMPVC — linux/amd64

+ const AF_ATMSVC — linux/amd64

+ const AF_AX25 — linux/amd64

+ const AF_BLUETOOTH — linux/amd64

+ const AF_BRIDGE — linux/amd64

+ const AF_CAIF — linux/amd64

+ const AF_CAN — linux/amd64

+ const AF_CCITT — darwin/amd64

+ const AF_CHAOS — darwin/amd64

+ const AF_CNT — darwin/amd64

+ const AF_COIP — darwin/amd64

+ const AF_DATAKIT — darwin/amd64

+ const AF_DECnet — darwin/amd64, linux/amd64

+ const AF_DLI — darwin/amd64

+ const AF_E164 — darwin/amd64

+ const AF_ECMA — darwin/amd64

+ const AF_ECONET — linux/amd64

+ const AF_FILE — linux/amd64

+ const AF_HYLINK — darwin/amd64

+ const AF_IEEE80211 — darwin/amd64

+ const AF_IEEE802154 — linux/amd64

+ const AF_IMPLINK — darwin/amd64

+ const AF_INET — darwin/amd64, linux/amd64, windows/amd64

+ const AF_INET6 — darwin/amd64, linux/amd64, windows/amd64

+ const AF_IPX — darwin/amd64, linux/amd64

+ const AF_IRDA — linux/amd64

+ const AF_ISDN — darwin/amd64, linux/amd64

+ const AF_ISO — darwin/amd64

+ const AF_IUCV — linux/amd64

+ const AF_KEY — linux/amd64

+ const AF_LAT — darwin/amd64

+ const AF_LINK — darwin/amd64

+ const AF_LLC — linux/amd64

+ const AF_LOCAL — darwin/amd64, linux/amd64

+ const AF_MAX — darwin/amd64, linux/amd64

+ const AF_NATM — darwin/amd64

+ const AF_NDRV — darwin/amd64

+ const AF_NETBEUI — linux/amd64

+ const AF_NETBIOS — darwin/amd64, windows/amd64

+ const AF_NETLINK — linux/amd64

+ const AF_NETROM — linux/amd64

+ const AF_NS — darwin/amd64

+ const AF_OSI — darwin/amd64

+ const AF_PACKET — linux/amd64

+ const AF_PHONET — linux/amd64

+ const AF_PPP — darwin/amd64

+ const AF_PPPOX — linux/amd64

+