-
Notifications
You must be signed in to change notification settings - Fork 2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
vendor: golang.org/x/crypto v0.35.0 #5869
Conversation
vendor.mod
Outdated
golang.org/x/crypto v0.34.0 // indirect | ||
golang.org/x/crypto v0.35.0 // indirect |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
No diff in vendored files for this update, so we don't need to update, other than for silencing scanners (false positive)
Codecov ReportAll modified and coverable lines are covered by tests ✅
Additional details and impacted files@@ Coverage Diff @@
## master #5869 +/- ##
==========================================
+ Coverage 58.94% 59.32% +0.37%
==========================================
Files 355 358 +3
Lines 29772 29783 +11
==========================================
+ Hits 17550 17669 +119
+ Misses 11251 11145 -106
+ Partials 971 969 -2 🚀 New features to boost your workflow:
|
full diff: golang/sys@v0.29.0...v0.30.0 Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
no code-changes, only a godoc comment updated full diff: golang/sync@v0.10.0...v0.11.0 Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
no code-changes in vendored files. full diff: golang/text@v0.21.0...v0.22.0 Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
No code-changes, but updates the minimum go version to go1.23: > all: upgrade go directive to at least 1.23.0 [generated] > > By now Go 1.24.0 has been released, and Go 1.22 is no longer supported > per the Go Release Policy (https://go.dev/doc/devel/release#policy). > > For golang/go#69095. full diff: golang/crypto@v0.31.0...v0.34.0 Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
We have tagged version v0.35.0 of golang.org/x/crypto in order to address a security issue. Version v0.35.0 of golang.org/x/crypto fixes a vulnerability in the golang.org/x/crypto/ssh package which could cause a denial of service. SSH servers which implement file transfer protocols are vulnerable to a denial of service attack from clients which complete the key exchange slowly, or not at all, causing pending content to be read into memory, but never transmitted. Thanks to Yuichi Watanabe for reporting this issue. This is CVE-2025-22869 and Go issue https://go.dev/issue/71931. full diff: golang/crypto@v0.31.0...v0.35.0 Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Let me bring this in, as the one in moby was merged as well; moby/moby#49543 We still need to do the same for golang.org/x/net as well; moby/moby#49581 |
update minimum go version to go1.23 #5868vendor.mod: update minimum go version to go1.23 #5920vendor: golang.org/x/sys v0.30.0
full diff: golang/sys@v0.29.0...v0.30.0
vendor: golang.org/x/sync v0.11.0
no code-changes, only a godoc comment updated
full diff: golang/sync@v0.10.0...v0.11.0
vendor: golang.org/x/text v0.22.0
no code-changes in vendored files.
full diff: golang/text@v0.21.0...v0.22.0
vendor: golang.org/x/crypto v0.34.0
No code-changes, but updates the minimum go version to go1.23:
full diff: golang/crypto@v0.31.0...v0.34.0
vendor: golang.org/x/crypto v0.35.0
We have tagged version v0.35.0 of golang.org/x/crypto in order to address
a security issue. Version v0.35.0 of golang.org/x/crypto fixes a vulnerability
in the golang.org/x/crypto/ssh package which could cause a denial of service.
SSH servers which implement file transfer protocols are vulnerable to a denial
of service attack from clients which complete the key exchange slowly, or not
at all, causing pending content to be read into memory, but never transmitted.
Thanks to Yuichi Watanabe for reporting this issue.
This is CVE-2025-22869 and Go issue https://go.dev/issue/71931.
full diff: golang/crypto@v0.31.0...v0.35.0
- What I did
- How I did it
- How to verify it
- Human readable description for the release notes
- A picture of a cute animal (not mandatory but encouraged)