Update: If you are on Go 13.1 or later you do not need to do anything
This week, we learned of several critical issues with one of the underlying technologies (Rails) on which Go is built.* Due to the severity of these Rails issues, we have made a release of Go which fixes the issue, as well as made available a priority patch. Note that the vulnerability only affects Go servers and not Go agents.
You can download the updated installers from Go download page.
Or, should you prefer so, you can patch your existing installation using the patch and instructions attached to this post. The patch works for all supported versions of Go.
If your Go instance is available from outside of your corporate firewall, we strongly recommend that you disable access immediately and apply the patch. You should not bring Go back up until the patch is applied.
If your Go instance is not available from outside of your corporate firewall, although the risk is reduced we still recommend you apply this patch immediately.
This is a critical security issue that requires your immediate attention. This vulnerability is easily exploited and 100% repeatable.
If you have any questions about the security issue or applying the patch please contact Customer Support on our website.
- Go Team
* Multiple vulnerabilities in parameter parsing in Action Pack (CVE-2013-0156)
Please sign in to leave a comment.