unboundsoftware/default-request-adder
6
0
Fork 0
Code Issues 1 Pull Requests 1 Actions Packages Projects Releases 28 Activity

[Security] Bump golang.org/x/crypto from 0.0.0-20190308221718-c2843e01d9a2 to 0.1.0 #11

Merged
argoyle merged 1 commits from dependabot-go_modules-golang.org-x-crypto-0.1.0 into master 2023-05-09 05:21:20 +00:00
Conversation 5 Commits 1 Files Changed 2
+26 -5
argoyle commented 2023-05-08 18:36:54 +00:00 (Migrated from gitlab.com)
Copy Link
Copy Source

Bumps golang.org/x/crypto from 0.0.0-20190308221718-c2843e01d9a2 to 0.1.0. This update includes security fixes.

Vulnerabilities fixed

Improper Verification of Cryptographic Signature in golang.org/x/crypto golang.org/x/crypto before v0.0.0-20200220183623-bac4c82f6975 for Go allows a panic during signature verification in the golang.org/x/crypto/ssh package. A client can attack an SSH server that accepts public keys. Also, a server can attack any SSH client.

Patched versions: 0.0.0-20200220183623-bac4c82f6975; 0.0.0-20200220183623-bac4c82f6975 Affected versions: <= 0.0.0-20200220183622; < 0.0.0-20200220183623-bac4c82f6975

Use of a Broken or Risky Cryptographic Algorithm in golang.org/x/crypto/ssh golang.org/x/crypto/ssh versions 0.0.0-20220214200702-86341886e292 and prior in Go through 1.16.15 and 1.17.x through 1.17.8 allows an attacker to crash a server in certain circumstances involving AddHostKey. Version 0.0.0-20220315160706-3147a52a75dd includes a fix for the vulnerability and support for SHA-2.

Patched versions: 0.0.0-20220314234659-1baeb1ce4c0b Affected versions: < 0.0.0-20220314234659-1baeb1ce4c0b

Panic in malformed cerftificate The Helm core maintainers have identified a high severity security vulnerability in Go's crypto package affecting all versions prior to Helm 2.16.8 and Helm 3.1.0.

Thanks to @​ravin9249 for identifying the vulnerability.

Impact

Go before 1.12.16 and 1.13.x before 1.13.7 (and the crypto/cryptobyte package before 0.0.0-20200124225646-8b5121be2f68 for Go) allows attacks on clients resulting in a panic via a malformed X.509 certificate. This may allow a remote attacker to cause a denial of service.

Patches

A patch to compile Helm against Go 1.14.4 has been provided for Helm 2 and is available in Helm 2.16.8. Helm 3.1.0 and newer are compiled against Go 1.13.7+.

Workarounds

No workaround is available. Users are urged to upgrade.

References

... (truncated)

Patched versions: 0.0.0-20200124225646-8b5121be2f68 Affected versions: < 0.0.0-20200124225646-8b5121be2f68

x/crypto/ssh vulnerable to panic via SSH server The x/crypto/ssh package before 0.0.0-20211202192323-5770296d904e of golang.org/x/crypto allows an unauthenticated attacker to panic an SSH server.

Patched versions: 0.0.0-20211202192323-5770296d904e Affected versions: < 0.0.0-20211202192323-5770296d904e

golang.org/x/crypto/ssh NULL Pointer Dereference vulnerability A nil pointer dereference in the golang.org/x/crypto/ssh component through v0.0.0-20201203163018-be400aefbc4c for Go allows remote attackers to cause a denial of service against SSH servers.

Patched versions: 0.0.0-20201216223049-8b5274cf687f Affected versions: < 0.0.0-20201216223049-8b5274cf687f

golang.org/x/crypto/salsa20/salsa uses insufficiently random values An issue was discovered in supplementary Go cryptography libraries, aka golang-googlecode-go-crypto, before 2019-03-20. A flaw was found in the amd64 implementation of golang.org/x/crypto/salsa20 and golang.org/x/crypto/salsa20/salsa. If more than 256 GiB of keystream is generated, or if the counter otherwise grows greater than 32 bits, the amd64 implementation will first generate incorrect output, and then cycle back to previously generated keystream. Repeated keystream bytes can lead to loss of confidentiality in encryption applications, or to predictability in CSPRNG applications.

Patched versions: 0.0.0-20190320223903-b7391e95e576 Affected versions: < 0.0.0-20190320223903-b7391e95e576

Commits

Dependabot commands
You can trigger Dependabot actions by commenting on this MR
  • $dependabot rebase will rebase this MR
  • $dependabot recreate will recreate this MR rewriting all the manual changes and resolving conflicts
Bumps [golang.org/x/crypto](https://github.com/golang/crypto) from 0.0.0-20190308221718-c2843e01d9a2 to 0.1.0. **This update includes security fixes.** <details> <summary>Vulnerabilities fixed</summary> <blockquote> <p><strong>Improper Verification of Cryptographic Signature in golang.org/x/crypto</strong> golang.org/x/crypto before v0.0.0-20200220183623-bac4c82f6975 for Go allows a panic during signature verification in the golang.org/x/crypto/ssh package. A client can attack an SSH server that accepts public keys. Also, a server can attack any SSH client.</p> <p>Patched versions: 0.0.0-20200220183623-bac4c82f6975; 0.0.0-20200220183623-bac4c82f6975 Affected versions: &lt;= 0.0.0-20200220183622; &lt; 0.0.0-20200220183623-bac4c82f6975</p> </blockquote> <blockquote> <p><strong>Use of a Broken or Risky Cryptographic Algorithm in golang.org/x/crypto/ssh</strong> golang.org/x/crypto/ssh versions 0.0.0-20220214200702-86341886e292 and prior in Go through 1.16.15 and 1.17.x through 1.17.8 allows an attacker to crash a server in certain circumstances involving AddHostKey. Version 0.0.0-20220315160706-3147a52a75dd includes a fix for the vulnerability and support for SHA-2.</p> <p>Patched versions: 0.0.0-20220314234659-1baeb1ce4c0b Affected versions: &lt; 0.0.0-20220314234659-1baeb1ce4c0b</p> </blockquote> <blockquote> <p><strong>Panic in malformed cerftificate</strong> The Helm core maintainers have identified a high severity security vulnerability in Go's <code>crypto</code> package affecting all versions prior to Helm 2.16.8 and Helm 3.1.0.</p> <p>Thanks to <a href="https://github.com/ravin9249"><code>@​ravin9249</code></a> for identifying the vulnerability.</p> <h3>Impact</h3> <p>Go before 1.12.16 and 1.13.x before 1.13.7 (and the <code>crypto/cryptobyte</code> package before 0.0.0-20200124225646-8b5121be2f68 for Go) allows attacks on clients resulting in a panic via a malformed X.509 certificate. This may allow a remote attacker to cause a denial of service.</p> <h3>Patches</h3> <p>A patch to compile Helm against Go 1.14.4 has been provided for Helm 2 and is available in Helm 2.16.8. Helm 3.1.0 and newer are compiled against Go 1.13.7+.</p> <h3>Workarounds</h3> <p>No workaround is available. Users are urged to upgrade.</p> <h3>References</h3> <ul> <li><a href="https://nvd.nist.gov/vuln/detail/CVE-2020-7919">https://nvd.nist.gov/vuln/detail/CVE-2020-7919</a></li> <li><a href="https://github.com/helm/helm/pull/8288">helm/helm#8288</a></li> </ul> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> <blockquote> <p>Patched versions: 0.0.0-20200124225646-8b5121be2f68 Affected versions: &lt; 0.0.0-20200124225646-8b5121be2f68</p> </blockquote> <blockquote> <p><strong>x/crypto/ssh vulnerable to panic via SSH server</strong> The x/crypto/ssh package before 0.0.0-20211202192323-5770296d904e of golang.org/x/crypto allows an unauthenticated attacker to panic an SSH server.</p> <p>Patched versions: 0.0.0-20211202192323-5770296d904e Affected versions: &lt; 0.0.0-20211202192323-5770296d904e</p> </blockquote> <blockquote> <p><strong>golang.org/x/crypto/ssh NULL Pointer Dereference vulnerability</strong> A nil pointer dereference in the golang.org/x/crypto/ssh component through v0.0.0-20201203163018-be400aefbc4c for Go allows remote attackers to cause a denial of service against SSH servers.</p> <p>Patched versions: 0.0.0-20201216223049-8b5274cf687f Affected versions: &lt; 0.0.0-20201216223049-8b5274cf687f</p> </blockquote> <blockquote> <p><strong>golang.org/x/crypto/salsa20/salsa uses insufficiently random values</strong> An issue was discovered in supplementary Go cryptography libraries, aka golang-googlecode-go-crypto, before 2019-03-20. A flaw was found in the amd64 implementation of golang.org/x/crypto/salsa20 and golang.org/x/crypto/salsa20/salsa. If more than 256 GiB of keystream is generated, or if the counter otherwise grows greater than 32 bits, the amd64 implementation will first generate incorrect output, and then cycle back to previously generated keystream. Repeated keystream bytes can lead to loss of confidentiality in encryption applications, or to predictability in CSPRNG applications.</p> <p>Patched versions: 0.0.0-20190320223903-b7391e95e576 Affected versions: &lt; 0.0.0-20190320223903-b7391e95e576</p> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li>See full diff in <a href="https://github.com/golang/crypto/commits/v0.1.0">compare view</a></li> </ul> </details> <br /> --- <details> <summary>Dependabot commands</summary> <br /> You can trigger Dependabot actions by commenting on this MR - `$dependabot rebase` will rebase this MR - `$dependabot recreate` will recreate this MR rewriting all the manual changes and resolving conflicts </details>
argoyle commented 2023-05-08 18:48:31 +00:00 (Migrated from gitlab.com)
Copy Link
Copy Source

$dependabot recreate

$dependabot recreate
argoyle commented 2023-05-08 19:05:44 +00:00 (Migrated from gitlab.com)
Copy Link
Copy Source

⚠️ dependabot is recreating merge request. All changes will be overwritten! ⚠️

:warning: `dependabot` is recreating merge request. All changes will be overwritten! :warning:
argoyle commented 2023-05-08 19:05:51 +00:00 (Migrated from gitlab.com)
Copy Link
Copy Source

dependabot failed recreating merge request.

No such file or directory - go
:x: `dependabot` failed recreating merge request. ``` No such file or directory - go ```
argoyle commented 2023-05-09 05:15:14 +00:00 (Migrated from gitlab.com)
Copy Link
Copy Source

added 2 commits

  • 73c9ee45 - 1 commit from branch master
  • 9c63d00b - [Security] Bump golang.org/x/crypto

Compare with previous version

added 2 commits <ul><li>73c9ee45 - 1 commit from branch <code>master</code></li><li>9c63d00b - [Security] Bump golang.org/x/crypto</li></ul> [Compare with previous version](/unboundsoftware/default-request-adder/-/merge_requests/8/diffs?diff_id=675544000&start_sha=a52a32427614700cb8bff30f07657ea60b86cf75)
argoyle commented 2023-05-09 05:17:28 +00:00 (Migrated from gitlab.com)
Copy Link
Copy Source

resolved all threads

resolved all threads
argoyle (Migrated from gitlab.com) scheduled this pull request to auto merge when all checks succeed 2023-05-09 05:17:40 +00:00
argoyle (Migrated from gitlab.com) merged commit into master 2023-05-09 05:21:20 +00:00
Sign in to join this conversation.
Reviewers
No Reviewers
Labels
Clear labels
dependencies
Pull requests that update a dependency file
 docker
go
security
Pull requests that address a security vulnerability
 severity:moderate
No Label dependencies go security
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
acctest (Shiny Acctest) argoyle (Joakim Olsson) buildtools (Buildtools) kubernetes (Kubernetes) peter releaser (Unbound Releaser) renovate (Renovate Bot)
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: unboundsoftware/default-request-adder#11
Delete Branch "dependabot-go_modules-golang.org-x-crypto-0.1.0"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?