vendor: golang.org/x/crypto v0.35.0 #5869
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
thaJeztah
commented
Feb 25, 2025
vendor.mod
Outdated
| golang.org/x/crypto v0.34.0 // indirect | ||
| golang.org/x/crypto v0.35.0 // indirect |
There was a problem hiding this comment.
No diff in vendored files for this update, so we don't need to update, other than for silencing scanners (false positive)
Codecov ReportAll modified and coverable lines are covered by tests ✅
Additional details and impacted files@@ Coverage Diff @@
## master #5869 +/- ##
==========================================
+ Coverage 58.94% 59.32% +0.37%
==========================================
Files 355 358 +3
Lines 29772 29783 +11
==========================================
+ Hits 17550 17669 +119
+ Misses 11251 11145 -106
+ Partials 971 969 -2 🚀 New features to boost your workflow:
|
full diff: golang/sys@v0.29.0...v0.30.0 Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
no code-changes, only a godoc comment updated full diff: golang/sync@v0.10.0...v0.11.0 Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
no code-changes in vendored files. full diff: golang/text@v0.21.0...v0.22.0 Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
No code-changes, but updates the minimum go version to go1.23: > all: upgrade go directive to at least 1.23.0 [generated] > > By now Go 1.24.0 has been released, and Go 1.22 is no longer supported > per the Go Release Policy (https://go.dev/doc/devel/release#policy). > > For golang/go#69095. full diff: golang/crypto@v0.31.0...v0.34.0 Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
We have tagged version v0.35.0 of golang.org/x/crypto in order to address a security issue. Version v0.35.0 of golang.org/x/crypto fixes a vulnerability in the golang.org/x/crypto/ssh package which could cause a denial of service. SSH servers which implement file transfer protocols are vulnerable to a denial of service attack from clients which complete the key exchange slowly, or not at all, causing pending content to be read into memory, but never transmitted. Thanks to Yuichi Watanabe for reporting this issue. This is CVE-2025-22869 and Go issue https://go.dev/issue/71931. full diff: golang/crypto@v0.31.0...v0.35.0 Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Benehiko
approved these changes
Mar 11, 2025
|
Let me bring this in, as the one in moby was merged as well; moby/moby#49543 We still need to do the same for golang.org/x/net as well; moby/moby#49581 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
update minimum go version to go1.23 #5868vendor.mod: update minimum go version to go1.23 #5920vendor: golang.org/x/sys v0.30.0
full diff: golang/sys@v0.29.0...v0.30.0
vendor: golang.org/x/sync v0.11.0
no code-changes, only a godoc comment updated
full diff: golang/sync@v0.10.0...v0.11.0
vendor: golang.org/x/text v0.22.0
no code-changes in vendored files.
full diff: golang/text@v0.21.0...v0.22.0
vendor: golang.org/x/crypto v0.34.0
No code-changes, but updates the minimum go version to go1.23:
full diff: golang/crypto@v0.31.0...v0.34.0
vendor: golang.org/x/crypto v0.35.0
We have tagged version v0.35.0 of golang.org/x/crypto in order to address
a security issue. Version v0.35.0 of golang.org/x/crypto fixes a vulnerability
in the golang.org/x/crypto/ssh package which could cause a denial of service.
SSH servers which implement file transfer protocols are vulnerable to a denial
of service attack from clients which complete the key exchange slowly, or not
at all, causing pending content to be read into memory, but never transmitted.
Thanks to Yuichi Watanabe for reporting this issue.
This is CVE-2025-22869 and Go issue https://go.dev/issue/71931.
full diff: golang/crypto@v0.31.0...v0.35.0
- What I did
- How I did it
- How to verify it
- Human readable description for the release notes
- A picture of a cute animal (not mandatory but encouraged)