NO-JIRA: Bump golang.org/x deps to fix reachable CVEs#373
Conversation
govulncheck found 6 reachable vulnerabilities in golang.org/x/crypto/ssh (all fixed in v0.52.0) and 2 in golang.org/x/net (fixed in v0.53.0 and v0.55.0), all reachable via validation.go's use of ssh.NewClientConn and sftp.NewClient: GO-2026-5020: infinite loop on large channel writes (ssh) GO-2026-5019: bypass of FIDO/U2F physical interaction (ssh) GO-2026-5018: pathological RSA/DSA parameters cause DoS (ssh) GO-2026-5017: client can cause server deadlock (ssh) GO-2026-5013: byte arithmetic underflow and panic (ssh) GO-2026-5026: failure to reject Punycode labels (net/idna) GO-2026-4918: infinite loop on bad SETTINGS_MAX_FRAME_SIZE (net/http2)
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: rh-roman The full list of commands accepted by this bot can be found here. DetailsNeeds approval from an approver in each of these files:Approvers can indicate their approval by writing |
WalkthroughThis PR updates go.mod, bumping version pins for golang.org/x/crypto, golang.org/x/net, and indirect dependencies x/sync, x/sys, x/term, x/text, and x/tools to newer releases, with no changes to exported entities. ChangesDependency version bumps
Estimated code review effort: 1 (Trivial) | ~2 minutes Possibly related issues
🚥 Pre-merge checks | ✅ 15✅ Passed checks (15 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## master #373 +/- ##
=======================================
Coverage 82.32% 82.32%
=======================================
Files 8 8
Lines 905 905
=======================================
Hits 745 745
Misses 148 148
Partials 12 12 🚀 New features to boost your workflow:
|
|
@rh-roman: This pull request explicitly references no jira issue. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
|
@rh-roman: The following test failed, say
Full PR test history. Your PR dashboard. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
govulncheck found 6 reachable vulnerabilities in golang.org/x/crypto/ssh (all fixed in v0.52.0) and 2 in golang.org/x/net (fixed in v0.53.0 and v0.55.0), all reachable via validation.go's use of
ssh.NewClientConnandsftp.NewClient:Summary by CodeRabbit
golang.org/x/*packages, including crypto, networking, sync, sys, term, text, and tools-related libraries.