Skip to content

chore(deps): update module golang.org/x/crypto to v0.45.0 [security] #867

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

chore(deps): update module golang.org/x/crypto to v0.45.0 [security] #867

wants to merge 1 commit into from

Conversation

@renovate-sh-app
Copy link
Contributor

@renovate-sh-app renovate-sh-app bot commented Nov 14, 2025
edited
Loading

This PR contains the following updates:

Package Change Age Confidence
golang.org/x/crypto v0.43.0 -> v0.45.0 age confidence

GitHub Vulnerability Alerts

CVE-2025-58181

SSH servers parsing GSSAPI authentication requests do not validate the number of mechanisms specified in the request, allowing an attacker to cause unbounded memory consumption.

CVE-2025-47914

SSH Agent servers do not validate the size of messages when processing new identity requests, which may cause the program to panic if the message is malformed due to an out of bounds read.

golang.org/x/crypto/ssh/agent vulnerable to panic if message is malformed due to out of bounds read

CVE-2025-47914 / GHSA-f6x5-jh6r-wrfv / GO-2025-4135

More information

Details

SSH Agent servers do not validate the size of messages when processing new identity requests, which may cause the program to panic if the message is malformed due to an out of bounds read.

Severity

  • CVSS Score: 5.3 / 10 (Medium)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

golang.org/x/crypto/ssh allows an attacker to cause unbounded memory consumption

CVE-2025-58181 / GHSA-j5w8-q4qc-rx2x / GO-2025-4134

More information

Details

SSH servers parsing GSSAPI authentication requests do not validate the number of mechanisms specified in the request, allowing an attacker to cause unbounded memory consumption.

Severity

  • CVSS Score: 5.3 / 10 (Medium)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

Malformed constraint may cause denial of service in golang.org/x/crypto/ssh/agent

CVE-2025-47914 / GHSA-f6x5-jh6r-wrfv / GO-2025-4135

More information

Details

SSH Agent servers do not validate the size of messages when processing new identity requests, which may cause the program to panic if the message is malformed due to an out of bounds read.

Severity

Unknown

References

This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0).

Unbounded memory consumption in golang.org/x/crypto/ssh

CVE-2025-58181 / GHSA-j5w8-q4qc-rx2x / GO-2025-4134

More information

Details

SSH servers parsing GSSAPI authentication requests do not validate the number of mechanisms specified in the request, allowing an attacker to cause unbounded memory consumption.

Severity

Unknown

References

This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0).

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

Need help?

You can ask for more help in the following Slack channel: #proj-renovate-self-hosted. In that channel you can also find ADR and FAQ docs in the Resources section.

@renovate-sh-app renovate-sh-app bot requested a review from a team as a code owner November 14, 2025 10:28
@renovate-sh-app renovate-sh-app bot removed the request for review from a team November 14, 2025 10:28
@renovate-sh-app renovate-sh-app bot enabled auto-merge (squash) November 14, 2025 10:28
@renovate-sh-app
Copy link
Contributor Author

renovate-sh-app bot commented Nov 14, 2025
edited
Loading

ℹ Artifact update notice

File name: go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

  • 7 additional dependencies were updated

Details:

Package Change
golang.org/x/mod v0.28.0 -> v0.29.0
golang.org/x/net v0.46.0 -> v0.47.0
golang.org/x/sys v0.37.0 -> v0.38.0
golang.org/x/telemetry v0.0.0-20250908211612-aef8a434d053 -> v0.0.0-20251008203120-078029d740a8
golang.org/x/term v0.36.0 -> v0.37.0
golang.org/x/text v0.30.0 -> v0.31.0
golang.org/x/tools v0.37.0 -> v0.38.0

@renovate-sh-app renovate-sh-app bot force-pushed the renovate/go-golang.org-x-crypto-vulnerability branch from c97ce39 to 1d1057b Compare November 18, 2025 12:15
@renovate-sh-app renovate-sh-app bot changed the title chore(deps): update module golang.org/x/crypto to v0.43.0 [security] chore(deps): update module golang.org/x/crypto to v0.43.0 [security] - autoclosed Nov 19, 2025
@renovate-sh-app renovate-sh-app bot closed this Nov 19, 2025
auto-merge was automatically disabled November 19, 2025 09:16

Pull request was closed

@renovate-sh-app renovate-sh-app bot deleted the renovate/go-golang.org-x-crypto-vulnerability branch November 19, 2025 09:16
@renovate-sh-app renovate-sh-app bot changed the title chore(deps): update module golang.org/x/crypto to v0.43.0 [security] - autoclosed chore(deps): update module golang.org/x/crypto to v0.45.0 [security] Nov 20, 2025
@renovate-sh-app renovate-sh-app bot reopened this Nov 20, 2025
@renovate-sh-app renovate-sh-app bot force-pushed the renovate/go-golang.org-x-crypto-vulnerability branch from 0edc238 to 1d1057b Compare November 20, 2025 03:54
@renovate-sh-app renovate-sh-app bot force-pushed the renovate/go-golang.org-x-crypto-vulnerability branch from 1d1057b to 0edc238 Compare November 20, 2025 03:54
@renovate-sh-app renovate-sh-app bot enabled auto-merge (squash) November 20, 2025 06:53
@renovate-sh-app renovate-sh-app bot force-pushed the renovate/go-golang.org-x-crypto-vulnerability branch 2 times, most recently from 70046dc to b8a01cf Compare November 20, 2025 18:52
@renovate-sh-app
chore(deps): update module golang.org/x/crypto to v0.45.0 [security]
d77c148 
| datasource | package             | from    | to      |
| ---------- | ------------------- | ------- | ------- |
| go         | golang.org/x/crypto | v0.43.0 | v0.45.0 |


Signed-off-by: renovate-sh-app[bot] <219655108+renovate-sh-app[bot]@users.noreply.github.com>
@renovate-sh-app renovate-sh-app bot force-pushed the renovate/go-golang.org-x-crypto-vulnerability branch from b8a01cf to d77c148 Compare November 26, 2025 09:11
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@iwysiu iwysiu Awaiting requested review from iwysiu iwysiu is a code owner automatically assigned from grafana/aws-datasources

@kevinwcyu kevinwcyu Awaiting requested review from kevinwcyu kevinwcyu is a code owner automatically assigned from grafana/aws-datasources

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

automerge-security-update severity:UNKNOWN

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants