[security] Go 1.17.7 and Go 1.16.14 are released

• crypto/elliptic: fix IsOnCurve for big.Int values that are not valid coordinates
  
  Some big.Int values that are not valid field elements (negative or overflowing)
might cause Curve.IsOnCurve to incorrectly return true. Operating on those values

may cause a panic or an invalid curve operation. Note that Unmarshal will never
return such values.

Thanks to Guido Vranken for reporting this.

This is CVE-2022-23806 and https://go.dev/issue/50974.

• math/big: prevent large memory consumption in Rat.SetString
  
  An attacker can cause unbounded memory growth in a program using (*Rat).SetString
  due to an unhandled overflow.
  
  Thanks to the OSS-Fuzz project for discovering this issue and to Emmanuel Odeke
  (@odeke_et) for reporting it.
  
  This is CVE-2022-23772 and Go issue https://go.dev/issue/50699.
  

• cmd/go: prevent branches from materializing into versions
  
  A branch whose name resembles a version tag (such as "v1.0.0" or "subdir/v2.0.0-dev")
  can be considered a valid version by the go command. Materializing versions from
  branches might be unexpected and bypass ACLs that limit the creation of tags but not
  branches.
  
  This is CVE-2022-23773 and Go issue https://go.dev/issue/35671.

View the release notes for more information:
    https://go.dev/doc/devel/release.html#go1.17.minor

You can download binary and source distributions from the Go web site:
    https://go.dev/dl/

To compile from source using a Git clone, update to the release with
"git checkout go1.17.7" and build as usual.

Thanks to everyone who contributed to the releases.

Cheers,
Cherry and Alex for the Go team