Skip to content

Update golang.org/x/crypto and github.com/golang-jwt/jwt #3760

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
nightfury1204 merged 1 commit into from
May 13, 2025
Merged

Update golang.org/x/crypto and github.com/golang-jwt/jwt #3760

nightfury1204 merged 1 commit into from
May 13, 2025

Conversation

@Twsouza
Copy link
Contributor

@Twsouza Twsouza commented May 6, 2025
edited by ntner
Loading

What is the feature/update/fix?

This release includes security patches for several vulnerabilities in dependencies used by the Convox v2 rack. These updates address critical security issues in the following packages:

  1. golang-jwt/jwt/v4 - Fixed two vulnerabilities:

    • GO-2024-3250: Denial of service vulnerability
    • GO-2025-3553 (CVE-2025-30204): Excessive memory allocation during header parsing that could lead to denial of service attacks

  2. golang.org/x/crypto - Fixed vulnerability:

    • GO-2025-3487 (CVE-2025-22869): SSH servers implementing file transfer protocols were vulnerable to denial of service attacks from clients that complete key exchange slowly or not at all

These security updates ensure your Convox rack is protected against potential denial of service attacks and other exploits that could affect system stability and security.

How to use it?

This security update is automatically applied when you update your rack to the latest version. No additional configuration is required to benefit from these security fixes.

To apply the update:

$ convox rack update

After updating, verify your rack is running the latest version:

$ convox rack

Does it have a breaking change?

No, there are no breaking changes introduced with these security fixes. All functionality remains the same while improving the security posture of your Convox rack.

Requirements

To receive these security fixes, you must update to rack version 20250513194500 or newer.

  • Check your rack's version with convox rack
  • Update your rack with convox rack update

We strongly recommend updating at your earliest convenience to ensure your environment is protected against these known vulnerabilities.

@Twsouza Twsouza requested a review from nightfury1204 May 6, 2025 17:55
@Twsouza
Update golang.org/x/crypto and github.com/golang-jwt/jwt
10004dc 
Fix the following vulnerabilities:
github.com/golang-jwt/jwt/v4 has known vulnerabilities GO-2024-3250, GO-2025-3553.
golang.org/x/crypto has a vulnerability GO-2025-3487.
@Twsouza Twsouza force-pushed the chore/update-crypto-jwt-lib branch from 6490556 to 10004dc Compare May 13, 2025 18:43
@nightfury1204 nightfury1204 merged commit 96ffa7f into master May 13, 2025
0 of 2 checks passed
@nightfury1204 nightfury1204 deleted the chore/update-crypto-jwt-lib branch May 13, 2025 18:44
@codecov
Copy link

codecov bot commented May 13, 2025

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 35.34%. Comparing base (cb21bd7) to head (10004dc).
Report is 1 commits behind head on master.

Additional details and impacted files 
@@           Coverage Diff           @@
##           master    #3760   +/-   ##
=======================================
  Coverage   35.34%   35.34%           
=======================================
  Files         208      208           
  Lines       20958    20958           
=======================================
  Hits         7407     7407           
  Misses      12165    12165           
  Partials     1386     1386

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@nightfury1204 nightfury1204 Awaiting requested review from nightfury1204

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@Twsouza @nightfury1204