Go 1.18.4 and Go 1.17.12 are released

Noteworthy in this security release: 7 out of the 9 issues fixed are stack exhaustion bugs, meaning something in the stdlib is recursing too deeply and with a large enough input the runtime hits its 2 GB stack limit. Unlike it says on the announcement, though, the resulting crashes are not actual panics, but fatal errors that you can't recover from.

Most of these are pretty easy to hit, too: App taking in XML files larger than a couple of megabytes? Probably affected. Decompressing untrusted gzip files? Yeah pretty likely also affected. Doing static analysis or linting on Go source code? Definitely affected.