https://groups.google.com/g/golang-announce/c/wkkO4P9stm0 announces:
> Hello gophers,
>
> We have just released Go versions 1.22.3 and 1.21.10, minor point releases.
>
> These minor releases include 2 security fixes following the security policy:
>
> * cmd/go: arbitrary code execution during build on darwin
>
> On Darwin, building a Go module which contains CGO can trigger arbitrary
> code execution when using the Apple version of ld, due to usage of the
> -lto_library flag in a "#cgo LDFLAGS" directive.
>
> Thanks to Juho Forsén of Mattermost for reporting this issue.
>
> This is CVE-2024-24787 and Go issue https://go.dev/issue/67119.
>
> * net: malformed DNS message can cause infinite loop
>
> A malformed DNS message in response to a query can cause the Lookup
> functions to get stuck in an infinite loop.
>
> Thanks to @long-name-let-people-remember-you on GitHub for reporting this
> issue, and to Mateusz Poliwczak for bringing the issue to our attention.
>
> This is CVE-2024-24788 and Go issue https://go.dev/issue/66754.
>
> View the release notes for more information:
> https://go.dev/doc/devel/release#go1.22.3
>
> You can download binary and source distributions from the Go website:
> https://go.dev/dl/
>
> To compile from source using a Git clone, update to the release with
> git checkout go1.22.3 and build as usual.
>
> Thanks to everyone who contributed to the releases.
>
> Cheers,
> David, Cherry, and Roland for the Go team
--
-Alan Coopersmith- [email protected]
Oracle Solaris Engineering - https://blogs.oracle.com/solaris