Skip to content

fix(deps): update module golang.org/x/crypto to v0.45.0 [security] #4837

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Dec 1, 2025
Merged

fix(deps): update module golang.org/x/crypto to v0.45.0 [security] #4837

merged 1 commit into from
Dec 1, 2025

Conversation

@renovate-sh-app
Copy link
Contributor

@renovate-sh-app renovate-sh-app bot commented Nov 14, 2025
edited
Loading

This PR contains the following updates:

Package Change Age Confidence
golang.org/x/crypto v0.43.0 -> v0.45.0 age confidence

GitHub Vulnerability Alerts

CVE-2025-58181

SSH servers parsing GSSAPI authentication requests do not validate the number of mechanisms specified in the request, allowing an attacker to cause unbounded memory consumption.

CVE-2025-47914

SSH Agent servers do not validate the size of messages when processing new identity requests, which may cause the program to panic if the message is malformed due to an out of bounds read.

Unbounded memory consumption in golang.org/x/crypto/ssh

CVE-2025-58181 / GHSA-j5w8-q4qc-rx2x / GO-2025-4134

More information

Details

SSH servers parsing GSSAPI authentication requests do not validate the number of mechanisms specified in the request, allowing an attacker to cause unbounded memory consumption.

Severity

Unknown

References

This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0).

Malformed constraint may cause denial of service in golang.org/x/crypto/ssh/agent

CVE-2025-47914 / GHSA-f6x5-jh6r-wrfv / GO-2025-4135

More information

Details

SSH Agent servers do not validate the size of messages when processing new identity requests, which may cause the program to panic if the message is malformed due to an out of bounds read.

Severity

Unknown

References

This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0).

golang.org/x/crypto/ssh allows an attacker to cause unbounded memory consumption

CVE-2025-58181 / GHSA-j5w8-q4qc-rx2x / GO-2025-4134

More information

Details

SSH servers parsing GSSAPI authentication requests do not validate the number of mechanisms specified in the request, allowing an attacker to cause unbounded memory consumption.

Severity

  • CVSS Score: 5.3 / 10 (Medium)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

golang.org/x/crypto/ssh/agent vulnerable to panic if message is malformed due to out of bounds read

CVE-2025-47914 / GHSA-f6x5-jh6r-wrfv / GO-2025-4135

More information

Details

SSH Agent servers do not validate the size of messages when processing new identity requests, which may cause the program to panic if the message is malformed due to an out of bounds read.

Severity

  • CVSS Score: 5.3 / 10 (Medium)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

Need help?

You can ask for more help in the following Slack channel: #proj-renovate-self-hosted. In that channel you can also find ADR and FAQ docs in the Resources section.

@renovate-sh-app renovate-sh-app bot requested a review from a team as a code owner November 14, 2025 06:37
@renovate-sh-app
Copy link
Contributor Author

renovate-sh-app bot commented Nov 14, 2025
edited
Loading

ℹ Artifact update notice

File name: go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

  • 5 additional dependencies were updated

Details:

Package Change
golang.org/x/net v0.46.0 -> v0.47.0
golang.org/x/sync v0.17.0 -> v0.18.0
golang.org/x/sys v0.37.0 -> v0.38.0
golang.org/x/text v0.30.0 -> v0.31.0
golang.org/x/term v0.36.0 -> v0.37.0

@github-actions
Copy link
Contributor

github-actions bot commented Nov 14, 2025
edited
Loading

🔍 Dependency Review

Below are the assessed dependency updates from go.mod. Each section summarizes potential impact, cites upstream changelogs/commits where available, and calls out any code changes that may be required.

Note: Only dependencies changed in go.mod are assessed. Removals of indirect dependencies are normal tidy effects and are not reviewed unless they affect existing direct deps.

golang.org/x/crypto v0.43.0 -> v0.45.0 — ✅ Safe

Summary:

  • Reviewed changes between v0.43.0, v0.44.0, and v0.45.0 for packages typically used in applications (ssh, bcrypt/scrypt/argon2, hkdf, chacha20poly1305, curve25519, tls-related helpers).
  • No API removals or signature changes were introduced across these tags.
  • Updates primarily include security fixes, algorithm/compatibility improvements, and minor behavior hardening.

Potential impacts:

  • If you rely on extremely specific cryptographic outputs (golden tests) from experimental or less commonly used subpackages, re-run tests to confirm no expectation drift.
  • No import path or compiler-level changes required.

Evidence:

Required code changes: None.

golang.org/x/net v0.46.0 -> v0.47.0 — ✅ Safe

Summary:

  • Audited http2, net/http/httpguts, idna, netip and related packages between v0.46.0 and v0.47.0.
  • No breaking API changes detected; changes are fixes, perf improvements, and standards conformance tweaks (notably in http2 and idna handling).

Potential impacts:

  • Behavior in x/net/http2 may be slightly stricter in edge cases (frame validation, header limits) which can expose latent issues in non-compliant peers.
  • If you have custom http2 Transport tuning, no API changes, but re-validate behavior under load tests.

Evidence:

Required code changes: None.

golang.org/x/sync v0.17.0 -> v0.18.0 — ✅ Safe

Summary:

  • x/sync packages (errgroup, singleflight, semaphore) maintained API stability across these tags.
  • Changes are documentation, tests, or minor internal improvements.

Evidence:

Required code changes: None.

golang.org/x/sys v0.37.0 -> v0.38.0 — ✅ Safe

Summary:

  • x/sys typically adds new OS constants, struct fields, and syscall wrappers; API removals are rare and not present in this range.
  • No breaking changes observed across the tag diff; mostly platform support updates.

Evidence:

Required code changes: None.

golang.org/x/text v0.30.0 -> v0.31.0 — ✅ Safe

Summary:

  • x/text updates typically include new Unicode/CLDR data and correctness fixes.
  • Public APIs remain stable; however, results from packages like cases, norm, width, and secure/bidirule can change subtly due to data updates.

Potential impacts:

  • If you have tests asserting exact string transforms (case-folding, normalization, width), re-run and refresh golden outputs if they differ due to updated Unicode data.

Evidence:

Required code changes: None. If golden tests depend on previous Unicode tables, update expected values accordingly.

golang.org/x/term v0.36.0 (indirect) -> v0.37.0 (indirect) — ✅ Safe

Summary:

  • No public API changes in common usage (GetSize, MakeRaw, Restore, IsTerminal, etc.).
  • Internal/platform fixes only.

Evidence:

Required code changes: None.

github.com/open-telemetry/opentelemetry-collector-contrib/receiver/awss3receiver indirect -> direct (v0.139.0) — ✅ Safe

Summary:

  • The module was already present at v0.139.0 as an indirect dependency and is now explicitly required directly at the same version.
  • No version change; no upgrade-induced API deltas.

Potential impacts:

  • None functionally. Direct requirement ensures reproducibility/visibility and can help avoid future resolution drift.

Evidence:

Required code changes: None.

Notes

  • Several indirect dependencies were removed from go.mod. This is typical of go mod tidy and does not imply functional removals if they remain transitively required. No action needed.
  • After merging, run your CI/test suite, especially if you have golden tests touching Unicode text transforms (x/text) or custom http2 interactions (x/net/http2).

witekest
witekest reviewed Nov 14, 2025
View reviewed changes
Copy link
Contributor

@witekest witekest left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

CVSS Base Score: 7.5

Because of high severity it would be good to include it in 1.12.0 soon.

@renovate-sh-app renovate-sh-app bot force-pushed the renovate/go-golang.org-x-crypto-vulnerability branch from 9e3011e to 534c1f8 Compare November 14, 2025 15:28
@jharvey10
Copy link
Contributor

jharvey10 commented Nov 14, 2025

Once our OTel update gets merged in, I'll get this one merged as well before cutting the 1.12 RC.

@renovate-sh-app renovate-sh-app bot changed the title fix(deps): update module golang.org/x/crypto to v0.43.0 [security] fix(deps): update module golang.org/x/crypto to v0.43.0 [security] - autoclosed Nov 14, 2025
@renovate-sh-app renovate-sh-app bot closed this Nov 14, 2025
@renovate-sh-app renovate-sh-app bot deleted the renovate/go-golang.org-x-crypto-vulnerability branch November 14, 2025 18:34
@renovate-sh-app renovate-sh-app bot changed the title fix(deps): update module golang.org/x/crypto to v0.43.0 [security] - autoclosed fix(deps): update module golang.org/x/crypto to v0.45.0 [security] Nov 20, 2025
@renovate-sh-app renovate-sh-app bot reopened this Nov 20, 2025
@renovate-sh-app renovate-sh-app bot force-pushed the renovate/go-golang.org-x-crypto-vulnerability branch from 321b6e9 to 534c1f8 Compare November 20, 2025 03:34
@renovate-sh-app renovate-sh-app bot force-pushed the renovate/go-golang.org-x-crypto-vulnerability branch from 534c1f8 to 321b6e9 Compare November 20, 2025 03:34
@renovate-sh-app renovate-sh-app bot force-pushed the renovate/go-golang.org-x-crypto-vulnerability branch 2 times, most recently from e9f5032 to b537c42 Compare November 20, 2025 18:37
@renovate-sh-app renovate-sh-app bot force-pushed the renovate/go-golang.org-x-crypto-vulnerability branch 2 times, most recently from 57b754d to 613913f Compare November 21, 2025 00:25
@renovate-sh-app renovate-sh-app bot force-pushed the renovate/go-golang.org-x-crypto-vulnerability branch 5 times, most recently from b653866 to 83aacef Compare November 24, 2025 12:26
@renovate-sh-app renovate-sh-app bot force-pushed the renovate/go-golang.org-x-crypto-vulnerability branch 10 times, most recently from 0f0bf0c to 151088e Compare November 28, 2025 15:22
@renovate-sh-app
fix(deps): update module golang.org/x/crypto to v0.45.0 [security]
7a975d0 
| datasource | package             | from    | to      |
| ---------- | ------------------- | ------- | ------- |
| go         | golang.org/x/crypto | v0.43.0 | v0.45.0 |


Signed-off-by: renovate-sh-app[bot] <219655108+renovate-sh-app[bot]@users.noreply.github.com>
@renovate-sh-app renovate-sh-app bot force-pushed the renovate/go-golang.org-x-crypto-vulnerability branch from 151088e to 7a975d0 Compare December 1, 2025 18:23
@jharvey10 jharvey10 merged commit 3aea96e into main Dec 1, 2025
43 of 44 checks passed
@witekest
Copy link
Contributor

witekest commented Dec 2, 2025

Unfortunately we have missed it in 1.12.0.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jharvey10 jharvey10 jharvey10 approved these changes

+1 more reviewer

@witekest witekest witekest left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

automerge-security-update severity:UNKNOWN

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@jharvey10 @witekest