happyDomain/happyDeliver
2
0
Fork 0
Code Issues 6 Pull requests 7 Projects Releases Packages Wiki Activity Actions

chore(deps): update module golang.org/x/crypto to v0.45.0 [security] #42

Merged
renovate-bot merged 1 commit from renovate/go-golang.org-x-crypto-vulnerability into master 2025-11-28 21:15:11 +00:00
Conversation 0 Commits 1 Files changed 2 +4 -11
renovate-bot commented 2025-11-26 05:14:30 +00:00
Collaborator
Copy link

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
golang.org/x/crypto v0.44.0 -> v0.45.0 age adoption passing confidence

Unbounded memory consumption in golang.org/x/crypto/ssh

CVE-2025-58181 / GHSA-j5w8-q4qc-rx2x / GO-2025-4134

More information

Details

SSH servers parsing GSSAPI authentication requests do not validate the number of mechanisms specified in the request, allowing an attacker to cause unbounded memory consumption.

Severity

Unknown

References

This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0).

golang.org/x/crypto/ssh/agent vulnerable to panic if message is malformed due to out of bounds read

CVE-2025-47914 / GHSA-f6x5-jh6r-wrfv / GO-2025-4135

More information

Details

SSH Agent servers do not validate the size of messages when processing new identity requests, which may cause the program to panic if the message is malformed due to an out of bounds read.

Severity

  • CVSS Score: 5.3 / 10 (Medium)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

Malformed constraint may cause denial of service in golang.org/x/crypto/ssh/agent

CVE-2025-47914 / GHSA-f6x5-jh6r-wrfv / GO-2025-4135

More information

Details

SSH Agent servers do not validate the size of messages when processing new identity requests, which may cause the program to panic if the message is malformed due to an out of bounds read.

Severity

Unknown

References

This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0).

golang.org/x/crypto/ssh allows an attacker to cause unbounded memory consumption

CVE-2025-58181 / GHSA-j5w8-q4qc-rx2x / GO-2025-4134

More information

Details

SSH servers parsing GSSAPI authentication requests do not validate the number of mechanisms specified in the request, allowing an attacker to cause unbounded memory consumption.

Severity

  • CVSS Score: 5.3 / 10 (Medium)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR has been generated by Renovate Bot.

This PR contains the following updates: | Package | Change | Age | Adoption | Passing | Confidence | |---|---|---|---|---|---| | golang.org/x/crypto | `v0.44.0` -> `v0.45.0` | [![age](https://developer.mend.io/api/mc/badges/age/go/golang.org%2fx%2fcrypto/v0.45.0?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![adoption](https://developer.mend.io/api/mc/badges/adoption/go/golang.org%2fx%2fcrypto/v0.45.0?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![passing](https://developer.mend.io/api/mc/badges/compatibility/go/golang.org%2fx%2fcrypto/v0.44.0/v0.45.0?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![confidence](https://developer.mend.io/api/mc/badges/confidence/go/golang.org%2fx%2fcrypto/v0.44.0/v0.45.0?slim=true)](https://docs.renovatebot.com/merge-confidence/) | --- ### Unbounded memory consumption in golang.org/x/crypto/ssh [CVE-2025-58181](https://nvd.nist.gov/vuln/detail/CVE-2025-58181) / [GHSA-j5w8-q4qc-rx2x](https://github.com/advisories/GHSA-j5w8-q4qc-rx2x) / [GO-2025-4134](https://pkg.go.dev/vuln/GO-2025-4134) <details> <summary>More information</summary> #### Details SSH servers parsing GSSAPI authentication requests do not validate the number of mechanisms specified in the request, allowing an attacker to cause unbounded memory consumption. #### Severity Unknown #### References - [https://groups.google.com/g/golang-announce/c/w-oX3UxNcZA](https://groups.google.com/g/golang-announce/c/w-oX3UxNcZA) - [https://go.dev/cl/721961](https://go.dev/cl/721961) - [https://go.dev/issue/76363](https://go.dev/issue/76363) This data is provided by [OSV](https://osv.dev/vulnerability/GO-2025-4134) and the [Go Vulnerability Database](https://github.com/golang/vulndb) ([CC-BY 4.0](https://github.com/golang/vulndb#license)). </details> --- ### golang.org/x/crypto/ssh/agent vulnerable to panic if message is malformed due to out of bounds read [CVE-2025-47914](https://nvd.nist.gov/vuln/detail/CVE-2025-47914) / [GHSA-f6x5-jh6r-wrfv](https://github.com/advisories/GHSA-f6x5-jh6r-wrfv) / [GO-2025-4135](https://pkg.go.dev/vuln/GO-2025-4135) <details> <summary>More information</summary> #### Details SSH Agent servers do not validate the size of messages when processing new identity requests, which may cause the program to panic if the message is malformed due to an out of bounds read. #### Severity - CVSS Score: 5.3 / 10 (Medium) - Vector String: `CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L` #### References - [https://nvd.nist.gov/vuln/detail/CVE-2025-47914](https://nvd.nist.gov/vuln/detail/CVE-2025-47914) - [https://go.dev/cl/721960](https://go.dev/cl/721960) - [https://go.dev/issue/76364](https://go.dev/issue/76364) - [https://go.googlesource.com/crypto](https://go.googlesource.com/crypto) - [https://groups.google.com/g/golang-announce/c/w-oX3UxNcZA](https://groups.google.com/g/golang-announce/c/w-oX3UxNcZA) - [https://pkg.go.dev/vuln/GO-2025-4135](https://pkg.go.dev/vuln/GO-2025-4135) This data is provided by [OSV](https://osv.dev/vulnerability/GHSA-f6x5-jh6r-wrfv) and the [GitHub Advisory Database](https://github.com/github/advisory-database) ([CC-BY 4.0](https://github.com/github/advisory-database/blob/main/LICENSE.md)). </details> --- ### Malformed constraint may cause denial of service in golang.org/x/crypto/ssh/agent [CVE-2025-47914](https://nvd.nist.gov/vuln/detail/CVE-2025-47914) / [GHSA-f6x5-jh6r-wrfv](https://github.com/advisories/GHSA-f6x5-jh6r-wrfv) / [GO-2025-4135](https://pkg.go.dev/vuln/GO-2025-4135) <details> <summary>More information</summary> #### Details SSH Agent servers do not validate the size of messages when processing new identity requests, which may cause the program to panic if the message is malformed due to an out of bounds read. #### Severity Unknown #### References - [https://groups.google.com/g/golang-announce/c/w-oX3UxNcZA](https://groups.google.com/g/golang-announce/c/w-oX3UxNcZA) - [https://go.dev/cl/721960](https://go.dev/cl/721960) - [https://go.dev/issue/76364](https://go.dev/issue/76364) This data is provided by [OSV](https://osv.dev/vulnerability/GO-2025-4135) and the [Go Vulnerability Database](https://github.com/golang/vulndb) ([CC-BY 4.0](https://github.com/golang/vulndb#license)). </details> --- ### golang.org/x/crypto/ssh allows an attacker to cause unbounded memory consumption [CVE-2025-58181](https://nvd.nist.gov/vuln/detail/CVE-2025-58181) / [GHSA-j5w8-q4qc-rx2x](https://github.com/advisories/GHSA-j5w8-q4qc-rx2x) / [GO-2025-4134](https://pkg.go.dev/vuln/GO-2025-4134) <details> <summary>More information</summary> #### Details SSH servers parsing GSSAPI authentication requests do not validate the number of mechanisms specified in the request, allowing an attacker to cause unbounded memory consumption. #### Severity - CVSS Score: 5.3 / 10 (Medium) - Vector String: `CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L` #### References - [https://nvd.nist.gov/vuln/detail/CVE-2025-58181](https://nvd.nist.gov/vuln/detail/CVE-2025-58181) - [https://go.dev/cl/721961](https://go.dev/cl/721961) - [https://go.dev/issue/76363](https://go.dev/issue/76363) - [https://groups.google.com/g/golang-announce/c/w-oX3UxNcZA](https://groups.google.com/g/golang-announce/c/w-oX3UxNcZA) - [https://pkg.go.dev/vuln/GO-2025-4134](https://pkg.go.dev/vuln/GO-2025-4134) This data is provided by [OSV](https://osv.dev/vulnerability/GHSA-j5w8-q4qc-rx2x) and the [GitHub Advisory Database](https://github.com/github/advisory-database) ([CC-BY 4.0](https://github.com/github/advisory-database/blob/main/LICENSE.md)). </details> --- ### Configuration 📅 **Schedule**: Branch creation - "" (UTC), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Enabled. ♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0Mi4xOS43IiwidXBkYXRlZEluVmVyIjoiNDIuMTkuNyIsInRhcmdldEJyYW5jaCI6Im1hc3RlciIsImxhYmVscyI6W119-->
renovate-bot scheduled this pull request to auto merge when all checks succeed 2025-11-26 05:14:31 +00:00
renovate-bot deleted branch renovate/go-golang.org-x-crypto-vulnerability 2025-11-28 21:15:12 +00:00
Sign in to join this conversation.
Reviewers
No reviewers
Labels
Clear labels
No items
No labels
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
happyDomain/happyDeliver!42
No description provided.