Skip to content

Upgrade Golang packages to mitigate CVE vulnerability #3773

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
nightfury1204 merged 1 commit into from
Dec 10, 2025
Merged

Upgrade Golang packages to mitigate CVE vulnerability #3773

nightfury1204 merged 1 commit into from
Dec 10, 2025

Conversation

@nightfury1204
Copy link
Collaborator

@nightfury1204 nightfury1204 commented Dec 10, 2025
edited by ntner
Loading

What is the feature/update/fix?

This release includes a security patch for a vulnerability in a dependency used by the Convox v2 rack. This update addresses a security issue in the following package:

golang.org/x/crypto - Fixed vulnerability:

  • GO-2025-4116 (CVE-2025-47913): SSH clients receiving SSH_AGENT_SUCCESS when expecting a typed response will panic and cause early termination of the client process, potentially leading to denial of service

This security update ensures your Convox rack is protected against potential denial of service attacks that could affect system stability and availability.

How to use it?

This security update is automatically applied when you update your rack to the latest version. No additional configuration is required to benefit from this security fix.

To apply the update:

$ convox rack update

After updating, verify your rack is running the latest version:

$ convox rack

Does it have a breaking change?

No, there are no breaking changes introduced with this security fix. All functionality remains the same while improving the security posture of your Convox rack.

Requirements

To use this feature, you must be on at least rack version 20251210170659.
You can check your rack's version with the command convox rack -r rackName.
Update your rack to the latest version with the command convox rack update -r rackName.

@ntner ntner self-requested a review December 10, 2025 17:03
ntner
ntner approved these changes Dec 10, 2025
View reviewed changes
Copy link

@ntner ntner left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

  • Install and update to rack version
  • Downgrade to previous version
  • Telemetry based param groupings at install
  • Common convox rack param set variations after install
  • New application install and running with multiple resources
  • Existing application working after upgrade
  • Review and Deploy Workflows working across update
  • General and build stress-testing

@nightfury1204 nightfury1204 merged commit 9246c82 into master Dec 10, 2025
4 of 8 checks passed
@nightfury1204 nightfury1204 deleted the fix-go-cve branch December 10, 2025 17:06
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ntner ntner ntner approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@nightfury1204 @ntner