mirror of
https://github.com/moby/moby.git
synced 2026-01-11 18:51:37 +00:00
bda87b7de8
full diff: https://github.com/golang/crypto/compare/v0.44.0...v0.45.0 Hello gophers, We have tagged version v0.45.0 of golang.org/x/crypto in order to address two security issues. This version fixes a vulnerability in the golang.org/x/crypto/ssh package and a vulnerability in the golang.org/x/crypto/ssh/agent package which could cause programs to consume unbounded memory or panic respectively. SSH servers parsing GSSAPI authentication requests don't validate the number of mechanisms specified in the request, allowing an attacker to cause unbounded memory consumption. Thanks to Jakub Ciolek for reporting this issue. This is CVE-2025-58181 and Go issue https://go.dev/issue/76363. SSH Agent servers do not validate the size of messages when processing new identity requests, which may cause the program to panic if the message is malformed due to an out of bounds read. Thanks to Jakub Ciolek for reporting this issue. This is CVE-2025-47914 and Go issue https://go.dev/issue/76364. Cheers, Go Security team Signed-off-by: Sebastiaan van Stijn <github@gone.nl>