vendor: golang.org/x/crypto v0.35.0 #5869
Draft
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Go maintainers started to unconditionally update the minimum go version for golang.org/x/ dependencies to go1.23, which means that we'll no longer be able to support any version below that when updating those dependencies; > all: upgrade go directive to at least 1.23.0 [generated] > > By now Go 1.24.0 has been released, and Go 1.22 is no longer supported > per the Go Release Policy (https://go.dev/doc/devel/release#policy). > > For golang/go#69095. This updates our minimum version to go1.23, as we won't be able to maintain compatibility with older versions because of the above. Signed-off-by: Sebastiaan van Stijn <[email protected]>
full diff: golang/sys@v0.29.0...v0.30.0 Signed-off-by: Sebastiaan van Stijn <[email protected]>
no code-changes, only a godoc comment updated full diff: golang/sync@v0.10.0...v0.11.0 Signed-off-by: Sebastiaan van Stijn <[email protected]>
no code-changes in vendored files. full diff: golang/text@v0.21.0...v0.22.0 Signed-off-by: Sebastiaan van Stijn <[email protected]>
No code-changes, but updates the minimum go version to go1.23: > all: upgrade go directive to at least 1.23.0 [generated] > > By now Go 1.24.0 has been released, and Go 1.22 is no longer supported > per the Go Release Policy (https://go.dev/doc/devel/release#policy). > > For golang/go#69095. full diff: golang/crypto@v0.31.0...v0.34.0 Signed-off-by: Sebastiaan van Stijn <[email protected]>
We have tagged version v0.35.0 of golang.org/x/crypto in order to address a security issue. Version v0.35.0 of golang.org/x/crypto fixes a vulnerability in the golang.org/x/crypto/ssh package which could cause a denial of service. SSH servers which implement file transfer protocols are vulnerable to a denial of service attack from clients which complete the key exchange slowly, or not at all, causing pending content to be read into memory, but never transmitted. Thanks to Yuichi Watanabe for reporting this issue. This is CVE-2025-22869 and Go issue https://go.dev/issue/71931. full diff: golang/crypto@v0.31.0...v0.35.0 Signed-off-by: Sebastiaan van Stijn <[email protected]>
thaJeztah
commented
Feb 25, 2025
| golang.org/x/crypto v0.34.0 // indirect | ||
| golang.org/x/crypto v0.35.0 // indirect |
There was a problem hiding this comment.
No diff in vendored files for this update, so we don't need to update, other than for silencing scanners (false positive)
Codecov ReportAll modified and coverable lines are covered by tests ✅
Additional details and impacted files@@ Coverage Diff @@
## master #5869 +/- ##
==========================================
- Coverage 59.30% 59.27% -0.03%
==========================================
Files 353 353
Lines 29694 29694
==========================================
- Hits 17609 17601 -8
- Misses 11104 11113 +9
+ Partials 981 980 -1 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
vendor: golang.org/x/sys v0.30.0
full diff: golang/sys@v0.29.0...v0.30.0
vendor: golang.org/x/sync v0.11.0
no code-changes, only a godoc comment updated
full diff: golang/sync@v0.10.0...v0.11.0
vendor: golang.org/x/text v0.22.0
no code-changes in vendored files.
full diff: golang/text@v0.21.0...v0.22.0
vendor: golang.org/x/crypto v0.34.0
No code-changes, but updates the minimum go version to go1.23:
full diff: golang/crypto@v0.31.0...v0.34.0
vendor: golang.org/x/crypto v0.35.0
We have tagged version v0.35.0 of golang.org/x/crypto in order to address
a security issue. Version v0.35.0 of golang.org/x/crypto fixes a vulnerability
in the golang.org/x/crypto/ssh package which could cause a denial of service.
SSH servers which implement file transfer protocols are vulnerable to a denial
of service attack from clients which complete the key exchange slowly, or not
at all, causing pending content to be read into memory, but never transmitted.
Thanks to Yuichi Watanabe for reporting this issue.
This is CVE-2025-22869 and Go issue https://go.dev/issue/71931.
full diff: golang/crypto@v0.31.0...v0.35.0
- What I did
- How I did it
- How to verify it
- Human readable description for the release notes
- A picture of a cute animal (not mandatory but encouraged)