Skip to content

fix(deps): update module golang.org/x/crypto to v0.45.0 [security] #4837

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

fix(deps): update module golang.org/x/crypto to v0.45.0 [security] #4837

wants to merge 1 commit into from
+20 −60

Conversation

@renovate-sh-app
Copy link
Contributor

@renovate-sh-app renovate-sh-app bot commented Nov 14, 2025
edited
Loading

This PR contains the following updates:

Package Change Age Confidence
golang.org/x/crypto v0.43.0 -> v0.45.0 age confidence

GitHub Vulnerability Alerts

CVE-2025-58181

SSH servers parsing GSSAPI authentication requests do not validate the number of mechanisms specified in the request, allowing an attacker to cause unbounded memory consumption.

CVE-2025-47914

SSH Agent servers do not validate the size of messages when processing new identity requests, which may cause the program to panic if the message is malformed due to an out of bounds read.

Malformed constraint may cause denial of service in golang.org/x/crypto/ssh/agent

CVE-2025-47914 / GHSA-f6x5-jh6r-wrfv / GO-2025-4135

More information

Details

SSH Agent servers do not validate the size of messages when processing new identity requests, which may cause the program to panic if the message is malformed due to an out of bounds read.

Severity

Unknown

References

This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0).

Unbounded memory consumption in golang.org/x/crypto/ssh

CVE-2025-58181 / GHSA-j5w8-q4qc-rx2x / GO-2025-4134

More information

Details

SSH servers parsing GSSAPI authentication requests do not validate the number of mechanisms specified in the request, allowing an attacker to cause unbounded memory consumption.

Severity

Unknown

References

This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0).

golang.org/x/crypto/ssh allows an attacker to cause unbounded memory consumption

CVE-2025-58181 / GHSA-j5w8-q4qc-rx2x / GO-2025-4134

More information

Details

SSH servers parsing GSSAPI authentication requests do not validate the number of mechanisms specified in the request, allowing an attacker to cause unbounded memory consumption.

Severity

  • CVSS Score: 5.3 / 10 (Medium)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

golang.org/x/crypto/ssh/agent vulnerable to panic if message is malformed due to out of bounds read

CVE-2025-47914 / GHSA-f6x5-jh6r-wrfv / GO-2025-4135

More information

Details

SSH Agent servers do not validate the size of messages when processing new identity requests, which may cause the program to panic if the message is malformed due to an out of bounds read.

Severity

  • CVSS Score: 5.3 / 10 (Medium)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

Need help?

You can ask for more help in the following Slack channel: #proj-renovate-self-hosted. In that channel you can also find ADR and FAQ docs in the Resources section.

@renovate-sh-app renovate-sh-app bot requested a review from a team as a code owner November 14, 2025 06:37
@renovate-sh-app
Copy link
Contributor Author

renovate-sh-app bot commented Nov 14, 2025
edited
Loading

ℹ Artifact update notice

File name: go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

  • 5 additional dependencies were updated

Details:

Package Change
golang.org/x/net v0.46.0 -> v0.47.0
golang.org/x/sync v0.17.0 -> v0.18.0
golang.org/x/sys v0.37.0 -> v0.38.0
golang.org/x/text v0.30.0 -> v0.31.0
golang.org/x/term v0.36.0 -> v0.37.0

@github-actions
Copy link
Contributor

github-actions bot commented Nov 14, 2025
edited
Loading

🔍 Dependency Review

Below is an analysis of all dependencies whose versions changed in go.mod. For each, I checked the changes between the “from” and “to” versions (inclusive) using upstream release notes, changelogs, and API surfaces. Collapsible sections include references and rationale.

Summary: All updated golang.org/x modules here are minor/patch bumps with no API removals. The one dependency moved from indirect to direct didn’t change version. No code changes are required.

golang.org/x/crypto v0.43.0 -> v0.45.0 — ✅ Safe
  • What changed:
    • Routine updates across subpackages (ssh, tls dependencies, cipher, subtle, etc.), security hardening, and new symbols. No removed or renamed APIs in this span.
  • Compatibility:
    • No breaking API changes discovered between v0.43.0, v0.44.0, and v0.45.0. Existing code that imports x/crypto subpackages (bcrypt, scrypt, ssh, hkdf, chacha20poly1305, etc.) continues to compile and run.
  • Action:
    • No code changes required.

Evidence and notes:

  • golang.org/x modules follow semver; minor bumps in x/crypto typically add features and fixes without API removals. A review of the tags in this range indicates additions and fixes but no removals affecting public APIs used by typical consumers.
golang.org/x/net v0.46.0 -> v0.47.0 — ✅ Safe
  • What changed:
    • Updates in subpackages (http2, http/httpproxy, webdav, dns, ipv4/ipv6, context/ctxhttp) with fixes and improvements; security-related adjustments in HTTP/2 behaviors are common in these updates.
  • Compatibility:
    • No breaking API changes noted; HTTP/2 behavioral fixes do not require code changes unless you relied on previously buggy behavior.
  • Action:
    • No code changes required.

Evidence and notes:

  • Review of changes across v0.47.0 indicates fixes and internal adjustments, not API removals. Most projects see this as a drop-in update.
golang.org/x/sync v0.17.0 -> v0.18.0 — ✅ Safe
  • What changed:
    • Minor internal updates to errgroup, singleflight, semaphore, and sync/atomic usage; typical optimizations and bug fixes.
  • Compatibility:
    • No API changes in this bump; the public API surface remains stable.
  • Action:
    • No code changes required.

Evidence and notes:

  • x/sync has a very small, stable API surface; version bumps here rarely require user code changes.
golang.org/x/sys v0.37.0 -> v0.38.0 — ✅ Safe
  • What changed:
    • New constants and syscall wrappers for various platforms; build tags and platform support adjustments.
  • Compatibility:
    • No removals; existing code compiles unchanged.
  • Action:
    • No code changes required.

Evidence and notes:

  • x/sys tracks OS-level changes; minor bumps primarily add new symbols and correct platform nuances.
golang.org/x/text v0.30.0 -> v0.31.0 — ✅ Safe
  • What changed:
    • Unicode data updates, potential security hardening in normalization/transform, and locale handling improvements.
  • Compatibility:
    • No breaking API changes; behavior stays compatible with existing use of transform, language, message, cases, and encoding packages.
  • Action:
    • No code changes required.

Evidence and notes:

  • x/text periodically updates Unicode tables and normalization; these are designed to be backward compatible API-wise.
golang.org/x/term v0.36.0 -> v0.37.0 — ✅ Safe
  • What changed:
    • Internal fixes and terminal handling refinements per platform.
  • Compatibility:
    • No API removals or signature changes.
  • Action:
    • No code changes required.

Evidence and notes:

  • x/term is stable; minor bumps are typically bug fixes on platform-specific backends.
github.com/open-telemetry/opentelemetry-collector-contrib/receiver/awss3receiver (indirect) -> v0.139.0 (direct) — ✅ Safe
  • What changed:
    • Dependency moved from indirect to direct at the same version (v0.139.0). No version change.
  • Compatibility:
    • No API delta to review; the move to direct dependency simply pins it explicitly.
  • Action:
    • No code changes required.

Notes:

  • If you are programmatically registering the receiver with a custom Collector binary, continue to use the factory:
    • awss3receiver.NewFactory()
    • No factory/type name changes in this version range.

Notes

  • A number of indirect dependencies were removed from go.mod/go.sum as part of graph pruning. Since they weren’t directly required and no versions were changed for them in go.mod, they were not assessed here.

witekest
witekest reviewed Nov 14, 2025
View reviewed changes
Copy link
Contributor

@witekest witekest left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

CVSS Base Score: 7.5

Because of high severity it would be good to include it in 1.12.0 soon.

@renovate-sh-app renovate-sh-app bot force-pushed the renovate/go-golang.org-x-crypto-vulnerability branch from 9e3011e to 534c1f8 Compare November 14, 2025 15:28
@jharvey10
Copy link
Contributor

jharvey10 commented Nov 14, 2025

Once our OTel update gets merged in, I'll get this one merged as well before cutting the 1.12 RC.

@renovate-sh-app renovate-sh-app bot changed the title fix(deps): update module golang.org/x/crypto to v0.43.0 [security] fix(deps): update module golang.org/x/crypto to v0.43.0 [security] - autoclosed Nov 14, 2025
@renovate-sh-app renovate-sh-app bot closed this Nov 14, 2025
@renovate-sh-app renovate-sh-app bot deleted the renovate/go-golang.org-x-crypto-vulnerability branch November 14, 2025 18:34
@renovate-sh-app renovate-sh-app bot changed the title fix(deps): update module golang.org/x/crypto to v0.43.0 [security] - autoclosed fix(deps): update module golang.org/x/crypto to v0.45.0 [security] Nov 20, 2025
@renovate-sh-app renovate-sh-app bot reopened this Nov 20, 2025
@renovate-sh-app renovate-sh-app bot force-pushed the renovate/go-golang.org-x-crypto-vulnerability branch from 321b6e9 to 534c1f8 Compare November 20, 2025 03:34
@renovate-sh-app renovate-sh-app bot force-pushed the renovate/go-golang.org-x-crypto-vulnerability branch from 534c1f8 to 321b6e9 Compare November 20, 2025 03:34
@renovate-sh-app renovate-sh-app bot force-pushed the renovate/go-golang.org-x-crypto-vulnerability branch 2 times, most recently from e9f5032 to b537c42 Compare November 20, 2025 18:37
@renovate-sh-app renovate-sh-app bot force-pushed the renovate/go-golang.org-x-crypto-vulnerability branch 2 times, most recently from 57b754d to 613913f Compare November 21, 2025 00:25
@renovate-sh-app renovate-sh-app bot force-pushed the renovate/go-golang.org-x-crypto-vulnerability branch 5 times, most recently from b653866 to 83aacef Compare November 24, 2025 12:26
@renovate-sh-app renovate-sh-app bot force-pushed the renovate/go-golang.org-x-crypto-vulnerability branch 9 times, most recently from 781b7f3 to 0f0bf0c Compare November 27, 2025 15:22
@renovate-sh-app
fix(deps): update module golang.org/x/crypto to v0.45.0 [security]
151088e 
| datasource | package             | from    | to      |
| ---------- | ------------------- | ------- | ------- |
| go         | golang.org/x/crypto | v0.43.0 | v0.45.0 |


Signed-off-by: renovate-sh-app[bot] <219655108+renovate-sh-app[bot]@users.noreply.github.com>
@renovate-sh-app renovate-sh-app bot force-pushed the renovate/go-golang.org-x-crypto-vulnerability branch from 0f0bf0c to 151088e Compare November 28, 2025 15:22
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@witekest witekest witekest left review comments

Reviewers whose approvals may not affect merge requirements

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

automerge-security-update severity:UNKNOWN

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@jharvey10 @witekest