Skip to content

backend: bump golang.org/x/crypto to v0.52.0 to address Snyk findings#2469

Merged
c-julin merged 1 commit into
masterfrom
tb/snyk-crypto-0.52
May 27, 2026
Merged

backend: bump golang.org/x/crypto to v0.52.0 to address Snyk findings#2469
c-julin merged 1 commit into
masterfrom
tb/snyk-crypto-0.52

Conversation

@twmb

@twmb twmb commented May 26, 2026

Copy link
Copy Markdown
Contributor

Summary

Bump golang.org/x/crypto from v0.51.0 to v0.52.0 to address 6 HIGH severity Snyk findings in golang.org/x/crypto/ssh and related packages.

Vulnerabilities addressed

CVE Go vuln Title
CVE-2026-39831 GO-2026-5019 Improper Authentication
CVE-2026-39827 GO-2026-5016 Missing Release of Resource after Effective Lifetime
CVE-2026-42508 GO-2026-5021 Improper Check for Certificate Revocation (knownhosts)
CVE-2026-46597 GO-2026-5013 Incorrect Type Conversion or Cast
CVE-2026-46598 GO-2026-5033 Incorrect Type Conversion or Cast (ssh/agent)
CVE-2026-39835 GO-2026-5015 Uncaught Exception

Snyk links:

Test plan

  • CI passes

🤖 Generated with Claude Code

Addresses the following HIGH severity vulnerabilities in
golang.org/x/crypto/ssh:

* CVE-2026-39831 / GO-2026-5019 - Improper Authentication
* CVE-2026-39827 / GO-2026-5016 - Missing Release of Resource after Effective Lifetime
* CVE-2026-42508 / GO-2026-5021 - Improper Check for Certificate Revocation (knownhosts)
* CVE-2026-46597 / GO-2026-5013 - Incorrect Type Conversion or Cast
* CVE-2026-46598 / GO-2026-5033 - Incorrect Type Conversion or Cast (agent)
* CVE-2026-39835 / GO-2026-5015 - Uncaught Exception

Snyk:
* https://app.snyk.io/vuln/SNYK-GOLANG-GOLANGORGXCRYPTOSSH-16795344
* https://app.snyk.io/vuln/SNYK-GOLANG-GOLANGORGXCRYPTOSSH-16795342
* https://app.snyk.io/vuln/SNYK-GOLANG-GOLANGORGXCRYPTOSSHKNOWNHOSTS-16796449
* https://app.snyk.io/vuln/SNYK-GOLANG-GOLANGORGXCRYPTOSSH-16796326
* https://app.snyk.io/vuln/SNYK-GOLANG-GOLANGORGXCRYPTOSSHAGENT-16796334
* https://app.snyk.io/vuln/SNYK-GOLANG-GOLANGORGXCRYPTOSSH-16796332

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@c-julin c-julin merged commit 4a8e3db into master May 27, 2026
16 checks passed
@c-julin c-julin deleted the tb/snyk-crypto-0.52 branch May 27, 2026 10:29
themkarimi pushed a commit to themkarimi/console that referenced this pull request Jun 19, 2026
…redpanda-data#2469)

Addresses the following HIGH severity vulnerabilities in
golang.org/x/crypto/ssh:

* CVE-2026-39831 / GO-2026-5019 - Improper Authentication
* CVE-2026-39827 / GO-2026-5016 - Missing Release of Resource after Effective Lifetime
* CVE-2026-42508 / GO-2026-5021 - Improper Check for Certificate Revocation (knownhosts)
* CVE-2026-46597 / GO-2026-5013 - Incorrect Type Conversion or Cast
* CVE-2026-46598 / GO-2026-5033 - Incorrect Type Conversion or Cast (agent)
* CVE-2026-39835 / GO-2026-5015 - Uncaught Exception

Snyk:
* https://app.snyk.io/vuln/SNYK-GOLANG-GOLANGORGXCRYPTOSSH-16795344
* https://app.snyk.io/vuln/SNYK-GOLANG-GOLANGORGXCRYPTOSSH-16795342
* https://app.snyk.io/vuln/SNYK-GOLANG-GOLANGORGXCRYPTOSSHKNOWNHOSTS-16796449
* https://app.snyk.io/vuln/SNYK-GOLANG-GOLANGORGXCRYPTOSSH-16796326
* https://app.snyk.io/vuln/SNYK-GOLANG-GOLANGORGXCRYPTOSSHAGENT-16796334
* https://app.snyk.io/vuln/SNYK-GOLANG-GOLANGORGXCRYPTOSSH-16796332

Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants