Update: If you are on Go 13.1 or later you do not need to do anything
Two days ago we learnt of a new vulnerability in one of the underlying technologies (Ruby on Rails) on which Go frontend is built.* Due to the severity of the issue, we have made a release of Go which fixes the issue as well as made available a priority patch.
This is different from the vulnerability reported on 11th Jan.
Note that this only affects Go servers and not Go agents.
You can download the updated installers from Go download page.
Or should you prefer so, you can patch your existing installation by downloading the patch here.**
If your Go instance is available from outside of your corporate firewall, we strongly recommend that you disable access immediately and apply the patch. You should not bring Go back up until the patch is applied.
If your Go instance is not available from outside of your corporate firewall, although the risk is reduced we still recommend you apply this patch immediately.
This is a critical security issue that requires your immediate attention.
If you have any questions about the security issue or applying the patch please contact Customer Support on our website.
- Go Team
* Vulnerability Note VU#628463: Ruby on Rails 3.0 and 2.3 JSON Parser vulnerability
** Note that this is a cumulative patch which addresses both the vulnerabilities
Post is closed for comments.