vendor: golang.org/x/crypto v0.45.0

full diff: https://github.com/golang/crypto/compare/v0.44.0...v0.45.0 Hello gophers, We have tagged version v0.45.0 of golang.org/x/crypto in order to address two security issues. This version fixes a vulnerability in the golang.org/x/crypto/ssh package and a vulnerability in the golang.org/x/crypto/ssh/agent package which could cause programs to consume unbounded memory or panic respectively. SSH servers parsing GSSAPI authentication requests don't validate the number of mechanisms specified in the request, allowing an attacker to cause unbounded memory consumption. Thanks to Jakub Ciolek for reporting this issue. This is CVE-2025-58181 and Go issue https://go.dev/issue/76363. SSH Agent servers do not validate the size of messages when processing new identity requests, which may cause the program to panic if the message is malformed due to an out of bounds read. Thanks to Jakub Ciolek for reporting this issue. This is CVE-2025-47914 and Go issue https://go.dev/issue/76364. Cheers, Go Security team Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2026-01-11 18:51:37 +00:00 · 2025-11-26 14:33:21 +01:00
parent c592d02dfc
commit bda87b7de8
7 changed files with 94 additions and 51 deletions
--- a/go.mod
+++ b/go.mod
@@ -243,7 +243,7 @@ require (
 	go.uber.org/multierr v1.11.0 // indirect
 	go.uber.org/zap v1.27.0 // indirect
 	go.yaml.in/yaml/v2 v2.4.3 // indirect
-	golang.org/x/crypto v0.44.0 // indirect
+	golang.org/x/crypto v0.45.0 // indirect
 	golang.org/x/oauth2 v0.30.0 // indirect
 	golang.org/x/tools v0.38.0 // indirect
 	google.golang.org/api v0.248.0 // indirect