Go 1.7.4 & 1.6.4 now available
Change effective on 02 December 2016
Heroku’s support for Go has been upgraded to include Go 1.7.4 & 1.6.4. Future deploys with either a
go1.7 specifier will use these new versions.
go1.6.4 & go1.7.4 (released 2016/12/01) includes two security fixes. One of the issues effects Heroku users of net/http package’s Request.ParseMultipartForm, which starts writing to temporary files once the request body size surpasses the given “maxMemory” limit, allows an attacker to generate a multipart request crafted such that the dyno runs out of file descriptors.
The other issue affects users on Darwin (MacOS), where a user’s trust preferences for root certificates were not honored. If the user had a root certificate loaded in their Keychain that was explicitly not trusted, a Go program would still verify a connection using that root certificate. MacOS users are encouraged to upgrade their local version of Go.
Users of go1.6 and go1.7 should push a new commit to force a rebuild with the latest version of Go.
For more information on Heroku’s Go support, see the Dev Center documentation for Go. For more information on Go 1.7.4, see the Go documentation.