- go1.19.8 (released 2023-04-04) includes security fixes to the
go/parser, html/template, mime/multipart, net/http, and
net/textproto packages, as well as bug fixes to the linker, the
runtime, and the time package.
Refs boo#1200441 go1.19 release tracking
CVE-2023-24534 CVE-2023-24536 CVE-2023-24537 CVE-2023-24538
* go#59267 go#58975 boo#1210127 net/http, net/textproto: denial of service from excessive memory allocation ​(CVE-2023-24534)
* go#59269 go#59153 boo#1210128 net/http, net/textproto, mime/multipart: denial of service from excessive resource consumption (CVE-2023-24536)
* go#59273 go#59180 boo#1210129 go/parser: infinite loop in parsing (CVE-2023-24537)
* go#59271 go#59234 boo#1210130 html/template: backticks not treated as string delimiters (CVE-2023-24538)
* go#58937 cmd/go: timeout on darwin-amd64-race builder
* go#58939 runtime/pprof: TestLabelSystemstack due to sample with no location
* go#58941 internal/testpty: fails on some Linux machines due to incorrect error handling
* go#59050 cmd/link: linker fails on linux/amd64 when gcc's lto options are used
* go#59058 cmd/link/internal/arm: off-by-one error in trampoline phase call reachability calculation
* go#59074 time: time zone lookup using extend string makes wrong start time for non-DST zones
* go#59219 runtime: crash on linux-ppc64le (forwarded request 1077382 from jfkw)