Bump golang.org/x/crypto to 0.17.0 (security) #427
Merged
Commits on Dec 22, 2023
-
Bump golang.org/x/crypto to 0.17.0 (security)
This fixes the following vulnerabilities, as reported by govulncheck: Vulnerability shazow#1: GO-2023-2402 Man-in-the-middle attacker can compromise integrity of secure channel in golang.org/x/crypto More info: https://pkg.go.dev/vuln/GO-2023-2402 Module: golang.org/x/crypto Found in: golang.org/x/[email protected] Fixed in: golang.org/x/[email protected] Example traces found: shazow#1: work/ssh-chat-1.10/sshd/client.go:42:33: sshd.ConnectShell calls ssh.Client.NewSession shazow#2: work/ssh-chat-1.10/sshd/client.go:36:23: sshd.ConnectShell calls ssh.Dial shazow#3: work/ssh-chat-1.10/sshd/net.go:49:2: sshd.SSHListener.handleConn calls ssh.DiscardRequests shazow#4: work/ssh-chat-1.10/sshd/net.go:43:55: sshd.SSHListener.handleConn calls ssh.NewServerConn shazow#5: work/ssh-chat-1.10/sshd/terminal.go:222:13: sshd.Terminal.listen calls ssh.Request.Reply shazow#6: work/ssh-chat-1.10/sshd/client.go:46:2: sshd.ConnectShell calls ssh.Session.Close shazow#7: work/ssh-chat-1.10/sshd/client.go:70:30: sshd.ConnectShell calls ssh.Session.SendRequest shazow#8: work/ssh-chat-1.10/sshd/client.go:65:21: sshd.ConnectShell calls ssh.Session.Shell shazow#9: work/ssh-chat-1.10/cmd/ssh-chat/cmd.go:243:14: ssh.main calls fmt.Fprintln, which eventually calls ssh.channel.Read shazow#10: work/ssh-chat-1.10/sshd/terminal/terminal.go:954:17: terminal.Terminal.SetBracketedPasteMode calls io.WriteString, which calls ssh.channel.Write shazow#11: work/ssh-chat-1.10/cmd/ssh-chat/cmd.go:243:14: ssh.main calls fmt.Fprintln, which eventually calls ssh.extChannel.Read Vulnerability shazow#4: GO-2022-0968 Panic on malformed packets in golang.org/x/crypto/ssh More info: https://pkg.go.dev/vuln/GO-2022-0968 Module: golang.org/x/crypto Found in: golang.org/x/[email protected] Fixed in: golang.org/x/[email protected] Example traces found: shazow#1: work/ssh-chat-1.10/sshd/client.go:36:23: sshd.ConnectShell calls ssh.Dial shazow#2: work/ssh-chat-1.10/sshd/net.go:43:55: sshd.SSHListener.handleConn calls ssh.NewServerConn Vulnerability shazow#5: GO-2021-0356 Denial of service via crafted Signer in golang.org/x/crypto/ssh More info: https://pkg.go.dev/vuln/GO-2021-0356 Module: golang.org/x/crypto Found in: golang.org/x/[email protected] Fixed in: golang.org/x/[email protected] Example traces found: shazow#1: work/ssh-chat-1.10/cmd/ssh-chat/cmd.go:122:19: ssh.main calls ssh.ServerConfig.AddHostKey Vulnerability shazow#6: GO-2021-0227 Panic on crafted authentication request message in golang.org/x/crypto/ssh More info: https://pkg.go.dev/vuln/GO-2021-0227 Module: golang.org/x/crypto Found in: golang.org/x/[email protected] Fixed in: golang.org/x/[email protected] Example traces found: shazow#1: work/ssh-chat-1.10/sshd/net.go:43:55: sshd.SSHListener.handleConn calls ssh.NewServerConn
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.