Skip to content

chore(deps): update module golang.org/x/crypto to v0.45.0 [security] #303

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
renovate-sh-app wants to merge 1 commit into
base: main
Choose a base branch
from
Open

chore(deps): update module golang.org/x/crypto to v0.45.0 [security] #303

renovate-sh-app wants to merge 1 commit into from
+21 −21

Conversation

@renovate-sh-app
Copy link
Contributor

@renovate-sh-app renovate-sh-app bot commented Nov 20, 2025
edited
Loading

This PR contains the following updates:

Package Change Age Confidence
golang.org/x/crypto v0.43.0v0.45.0 age confidence

GitHub Vulnerability Alerts

CVE-2025-58181

SSH servers parsing GSSAPI authentication requests do not validate the number of mechanisms specified in the request, allowing an attacker to cause unbounded memory consumption.

CVE-2025-47914

SSH Agent servers do not validate the size of messages when processing new identity requests, which may cause the program to panic if the message is malformed due to an out of bounds read.

golang.org/x/crypto/ssh allows an attacker to cause unbounded memory consumption

CVE-2025-58181 / GHSA-j5w8-q4qc-rx2x / GO-2025-4134

More information

Details

SSH servers parsing GSSAPI authentication requests do not validate the number of mechanisms specified in the request, allowing an attacker to cause unbounded memory consumption.

Severity

  • CVSS Score: 5.3 / 10 (Medium)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

golang.org/x/crypto/ssh/agent vulnerable to panic if message is malformed due to out of bounds read

CVE-2025-47914 / GHSA-f6x5-jh6r-wrfv / GO-2025-4135

More information

Details

SSH Agent servers do not validate the size of messages when processing new identity requests, which may cause the program to panic if the message is malformed due to an out of bounds read.

Severity

  • CVSS Score: 5.3 / 10 (Medium)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

Malformed constraint may cause denial of service in golang.org/x/crypto/ssh/agent

CVE-2025-47914 / GHSA-f6x5-jh6r-wrfv / GO-2025-4135

More information

Details

SSH Agent servers do not validate the size of messages when processing new identity requests, which may cause the program to panic if the message is malformed due to an out of bounds read.

Severity

Unknown

References

This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0).

Unbounded memory consumption in golang.org/x/crypto/ssh

CVE-2025-58181 / GHSA-j5w8-q4qc-rx2x / GO-2025-4134

More information

Details

SSH servers parsing GSSAPI authentication requests do not validate the number of mechanisms specified in the request, allowing an attacker to cause unbounded memory consumption.

Severity

Unknown

References

This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0).

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

Need help?

You can ask for more help in the following Slack channel: #proj-renovate-self-hosted. In that channel you can also find ADR and FAQ docs in the Resources section.

@renovate-sh-app renovate-sh-app bot requested a review from a team as a code owner November 20, 2025 06:49
@renovate-sh-app renovate-sh-app bot requested review from iwysiu and njvrzm and removed request for a team November 20, 2025 06:49
@renovate-sh-app renovate-sh-app bot enabled auto-merge (squash) November 20, 2025 06:49
@renovate-sh-app
Copy link
Contributor Author

renovate-sh-app bot commented Nov 20, 2025
edited
Loading

ℹ Artifact update notice

File name: go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

  • 6 additional dependencies were updated

Details:

Package Change
golang.org/x/mod v0.28.0 -> v0.29.0
golang.org/x/net v0.46.0 -> v0.47.0
golang.org/x/telemetry v0.0.0-20250908211612-aef8a434d053 -> v0.0.0-20251008203120-078029d740a8
golang.org/x/term v0.36.0 -> v0.37.0
golang.org/x/text v0.30.0 -> v0.31.0
golang.org/x/tools v0.37.0 -> v0.38.0

@renovate-sh-app renovate-sh-app bot force-pushed the renovate/go-golang.org-x-crypto-vulnerability branch from 3f8615a to 95555fc Compare November 20, 2025 21:49
@renovate-sh-app renovate-sh-app bot force-pushed the renovate/go-golang.org-x-crypto-vulnerability branch from 95555fc to 256fec6 Compare November 21, 2025 00:52
@renovate-sh-app renovate-sh-app bot force-pushed the renovate/go-golang.org-x-crypto-vulnerability branch 2 times, most recently from fb6c802 to 27e83a3 Compare November 27, 2025 09:11
@renovate-sh-app renovate-sh-app bot force-pushed the renovate/go-golang.org-x-crypto-vulnerability branch 2 times, most recently from 79a65bb to 6724306 Compare December 8, 2025 21:38
@renovate-sh-app renovate-sh-app bot force-pushed the renovate/go-golang.org-x-crypto-vulnerability branch 3 times, most recently from 9ce482a to 5f16050 Compare December 18, 2025 09:32
@renovate-sh-app renovate-sh-app bot changed the title chore(deps): update module golang.org/x/crypto to v0.45.0 [security] chore(deps): update module golang.org/x/crypto to v0.45.0 [security] - autoclosed Dec 24, 2025
@renovate-sh-app renovate-sh-app bot closed this Dec 24, 2025
auto-merge was automatically disabled December 24, 2025 15:37

Pull request was closed

@renovate-sh-app renovate-sh-app bot deleted the renovate/go-golang.org-x-crypto-vulnerability branch December 24, 2025 15:37
@renovate-sh-app renovate-sh-app bot changed the title chore(deps): update module golang.org/x/crypto to v0.45.0 [security] - autoclosed chore(deps): update module golang.org/x/crypto to v0.45.0 [security] Dec 24, 2025
@renovate-sh-app renovate-sh-app bot reopened this Dec 24, 2025
@renovate-sh-app renovate-sh-app bot force-pushed the renovate/go-golang.org-x-crypto-vulnerability branch from 6f77a7b to 5f16050 Compare December 24, 2025 18:42
@renovate-sh-app renovate-sh-app bot force-pushed the renovate/go-golang.org-x-crypto-vulnerability branch from 5f16050 to 6f77a7b Compare December 24, 2025 18:42
@renovate-sh-app
Copy link
Contributor Author

renovate-sh-app bot commented Dec 24, 2025

ℹ️ Artifact update notice

File name: go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

  • 6 additional dependencies were updated

Details:

Package Change
golang.org/x/mod v0.28.0 -> v0.29.0
golang.org/x/net v0.46.0 -> v0.47.0
golang.org/x/telemetry v0.0.0-20250908211612-aef8a434d053 -> v0.0.0-20251008203120-078029d740a8
golang.org/x/term v0.36.0 -> v0.37.0
golang.org/x/text v0.30.0 -> v0.31.0
golang.org/x/tools v0.37.0 -> v0.38.0

@renovate-sh-app renovate-sh-app bot enabled auto-merge (squash) December 24, 2025 21:31
@renovate-sh-app renovate-sh-app bot force-pushed the renovate/go-golang.org-x-crypto-vulnerability branch 3 times, most recently from f130b85 to d9050de Compare January 6, 2026 00:38
@renovate-sh-app
chore(deps): update module golang.org/x/crypto to v0.45.0 [security]
a344b7a 
| datasource | package             | from    | to      |
| ---------- | ------------------- | ------- | ------- |
| go         | golang.org/x/crypto | v0.43.0 | v0.45.0 |


Signed-off-by: renovate-sh-app[bot] <219655108+renovate-sh-app[bot]@users.noreply.github.com>
@renovate-sh-app renovate-sh-app bot force-pushed the renovate/go-golang.org-x-crypto-vulnerability branch from d9050de to a344b7a Compare January 6, 2026 18:52
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@iwysiu iwysiu Awaiting requested review from iwysiu iwysiu is a code owner automatically assigned from grafana/aws-datasources

@njvrzm njvrzm Awaiting requested review from njvrzm njvrzm is a code owner automatically assigned from grafana/aws-datasources

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

automerge-security-update severity:UNKNOWN

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants