Google has released an upgrade to Go 1.5.3 to fix a security issue with the math/big package for implementing multiprecision arithmetic. Go programs must be recompiled with this version to receive the fix.
“This issue can affect RSA computations in crypto/rsa, which is used by crypto/tls,” a golang-dev post in Google Groups says. “TLS servers on 32-bit systems could plausibly leak their RSA private key due to this issue. Other protocol implementations that create many RSA signatures could also be impacted in the same way.” Incorrect results in one part of the RSA Chinese Remainder computation can lead to the wrong outcome down the line such that it leaks a prime number.