Skip to content

CVE Fix for x-crypto component in caddy #672

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
bunnichx wants to merge 1 commit into
base: 3.0-dev
Choose a base branch
from
Open

CVE Fix for x-crypto component in caddy #672

bunnichx wants to merge 1 commit into from

Conversation

@bunnichx
Copy link
Contributor

@bunnichx bunnichx commented Jan 9, 2026
edited
Loading

Merge Checklist

All boxes should be checked before merging the PR

  • The changes in the PR have been built and tested
  • [] cgmanifest file has been updated if required
  • Ready to merge

Description

ITEP-83591 : CVE-2025-58181 reported for caddy.

Any Newly Introduced Dependencies

How Has This Been Tested?

  • Developer Build with #1501 is success. ISO installation is successful.
  • With changes BDBA scan 8097582, CVE is resolved.

@bunnichx bunnichx requested a review from a team as a code owner January 9, 2026 15:39
@bunnichx bunnichx marked this pull request as draft January 9, 2026 15:39
@bunnichx bunnichx self-assigned this Jan 12, 2026
@bunnichx bunnichx marked this pull request as ready for review January 12, 2026 10:37
@bunnichx
CVE Fix for x-crypto component in caddy
0d9b46e 
 - Applied suggested patch from NVD database for
 - CVE-2025-58181.

Signed-off-by: Unniche, BasavarajX <[email protected]>
@bunnichx bunnichx force-pushed the caddy-xcrypto-cve-fix branch from 7090d9a to 0d9b46e Compare January 12, 2026 10:39
andy-vm
andy-vm approved these changes Jan 13, 2026
View reviewed changes
Copy link
Contributor

@andy-vm andy-vm left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@aaroncyew
Copy link
Member

aaroncyew commented Jan 16, 2026
edited
Loading

the method to apply the CVE patch isn't done properly. Its looking for file
vendor/golang.org/x/crypto//ssh/ssh_gss.go

@andy-vm @bunnichx kindly reevaluate your changes

@andy-vm
Copy link
Contributor

andy-vm commented Jan 19, 2026
edited
Loading

@bunnichx please double check the CVE test result, and share CVE scan url

With changes BDBA scan 8097582, CVE is resolved.

@bunnichx
Copy link
Contributor Author

bunnichx commented Jan 19, 2026

vendor/golang.org/x/crypto//ssh/ssh_gss.go

Updated the source rpm build logs to ITEP.

@aaroncyew
Copy link
Member

aaroncyew commented Jan 19, 2026

+1 LGTM, the CVE patch is applied accordingly to vendor source directory

@bunnichx
Copy link
Contributor Author

bunnichx commented Jan 19, 2026

@bunnichx please double check the CVE test result, and share CVE scan url

With changes BDBA scan 8097582, CVE is resolved.

Updated in ITEP-83591

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@andy-vm andy-vm andy-vm approved these changes

Assignees

@bunnichx bunnichx

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@bunnichx @aaroncyew @andy-vm