Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

vendor: golang.org/x/crypto v0.35.0 #5869

Merged
merged 5 commits into from
Mar 11, 2025
Merged

Conversation

thaJeztah
Copy link
Member

@thaJeztah thaJeztah commented Feb 25, 2025


vendor: golang.org/x/sys v0.30.0

full diff: golang/sys@v0.29.0...v0.30.0

vendor: golang.org/x/sync v0.11.0

no code-changes, only a godoc comment updated

full diff: golang/sync@v0.10.0...v0.11.0

vendor: golang.org/x/text v0.22.0

no code-changes in vendored files.

full diff: golang/text@v0.21.0...v0.22.0

vendor: golang.org/x/crypto v0.34.0

No code-changes, but updates the minimum go version to go1.23:

all: upgrade go directive to at least 1.23.0 [generated]

By now Go 1.24.0 has been released, and Go 1.22 is no longer supported
per the Go Release Policy (https://go.dev/doc/devel/release#policy).

For golang/go#69095.

full diff: golang/crypto@v0.31.0...v0.34.0

vendor: golang.org/x/crypto v0.35.0

We have tagged version v0.35.0 of golang.org/x/crypto in order to address
a security issue. Version v0.35.0 of golang.org/x/crypto fixes a vulnerability
in the golang.org/x/crypto/ssh package which could cause a denial of service.
SSH servers which implement file transfer protocols are vulnerable to a denial
of service attack from clients which complete the key exchange slowly, or not
at all, causing pending content to be read into memory, but never transmitted.
Thanks to Yuichi Watanabe for reporting this issue.
This is CVE-2025-22869 and Go issue https://go.dev/issue/71931.

full diff: golang/crypto@v0.31.0...v0.35.0

- What I did

- How I did it

- How to verify it

- Human readable description for the release notes

- A picture of a cute animal (not mandatory but encouraged)

vendor.mod Outdated
golang.org/x/crypto v0.34.0 // indirect
golang.org/x/crypto v0.35.0 // indirect
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No diff in vendored files for this update, so we don't need to update, other than for silencing scanners (false positive)

@thaJeztah thaJeztah changed the title Bump crypto vendor: golang.org/x/crypto v0.35.0 Feb 25, 2025
@codecov-commenter
Copy link

codecov-commenter commented Feb 25, 2025

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 59.32%. Comparing base (1673cd8) to head (4bdfd3b).
Report is 9 commits behind head on master.

Additional details and impacted files
@@            Coverage Diff             @@
##           master    #5869      +/-   ##
==========================================
+ Coverage   58.94%   59.32%   +0.37%     
==========================================
  Files         355      358       +3     
  Lines       29772    29783      +11     
==========================================
+ Hits        17550    17669     +119     
+ Misses      11251    11145     -106     
+ Partials      971      969       -2     
🚀 New features to boost your workflow:
  • Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

full diff: golang/sys@v0.29.0...v0.30.0

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
no code-changes, only a godoc comment updated

full diff: golang/sync@v0.10.0...v0.11.0

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
no code-changes in vendored files.

full diff: golang/text@v0.21.0...v0.22.0

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
No code-changes, but updates the minimum go version to go1.23:

> all: upgrade go directive to at least 1.23.0 [generated]
>
> By now Go 1.24.0 has been released, and Go 1.22 is no longer supported
> per the Go Release Policy (https://go.dev/doc/devel/release#policy).
>
> For golang/go#69095.

full diff: golang/crypto@v0.31.0...v0.34.0

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
We have tagged version v0.35.0 of golang.org/x/crypto in order to address
a security issue. Version v0.35.0 of golang.org/x/crypto fixes a vulnerability
in the golang.org/x/crypto/ssh package which could cause a denial of service.
SSH servers which implement file transfer protocols are vulnerable to a denial
of service attack from clients which complete the key exchange slowly, or not
at all, causing pending content to be read into memory, but never transmitted.
Thanks to Yuichi Watanabe for reporting this issue.
This is CVE-2025-22869 and Go issue https://go.dev/issue/71931.

full diff: golang/crypto@v0.31.0...v0.35.0

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
@thaJeztah thaJeztah modified the milestones: 28.1.0, 28.0.2 Mar 10, 2025
@thaJeztah thaJeztah marked this pull request as ready for review March 10, 2025 19:04
@thaJeztah thaJeztah requested review from Benehiko and vvoland March 10, 2025 22:23
@thaJeztah
Copy link
Member Author

Let me bring this in, as the one in moby was merged as well; moby/moby#49543

We still need to do the same for golang.org/x/net as well; moby/moby#49581

@thaJeztah thaJeztah merged commit 2d74733 into docker:master Mar 11, 2025
90 checks passed
@thaJeztah thaJeztah deleted the bump_crypto branch March 11, 2025 09:10
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants