Skip to content

Bump Go to 1.25 and golang.org/x/crypto to v0.52.0#657

Open
derek-etherton-opslevel wants to merge 2 commits into
mainfrom
fix/x-crypto-ssh-cves
Open

Bump Go to 1.25 and golang.org/x/crypto to v0.52.0#657
derek-etherton-opslevel wants to merge 2 commits into
mainfrom
fix/x-crypto-ssh-cves

Conversation

@derek-etherton-opslevel

@derek-etherton-opslevel derek-etherton-opslevel commented Jul 7, 2026

Copy link
Copy Markdown
Contributor

This PR raises the minimum Go version and patches seven critical CVEs in golang.org/x/crypto/ssh. Building the provider from source now requires Go 1.25.0 (up from 1.24.0), because golang.org/x/crypto v0.52.0 sets that as its go directive minimum.

CI reads the Go version from go.mod (go-version-file: go.mod), so no workflow changes are needed. Consumers who install the published provider binary are unaffected.

Go requirement

  • go.mod go directive: 1.24.01.25.0
  • toolchain go1.24.2 line removed (implied by the new directive)

Dependency bumps

Bumps golang.org/x/crypto from 0.47.0 to 0.52.0.

Commit history between tags: golang/crypto@v0.47.0...v0.52.0

Security fixes

This upgrade patches 7 critical CVEs, all in golang.org/x/crypto/ssh.

0.52.0

  • GO-2026-5020 When writing data larger than 4GB in a single Write call on an SSH channel, an integer overflow in the internal payload size calculation caused the write loop to spin indefinitely, sending empty packets without making progress. The size comparison now uses int64 to prevent truncation.
  • GO-2026-5023 Previously, CVE-2024-45337 fixed an authorization bypass for misused ssh server configurations; if any other type of callback is passed other than public key, then the source-address validation would be skipped.
  • GO-2026-5006 When adding a key to a remote agent, constraint extensions such as restrict-destination-v00@openssh.com were not serialized in the request. Destination restrictions were silently stripped when forwarding keys, allowing unrestricted use of the key on the remote host. The client now serializes all constraint extensions. Additionally, the in-memory keyring returned by NewKeyring() now rejects keys with unsupported constraint extensions instead of silently ignoring them.
  • GO-2026-5017 A malicious SSH peer could send unsolicited global request responses to fill an internal buffer, blocking the connection's read loop. The blocked goroutine could not be released by calling Close(), resulting in a resource leak per connection. Unsolicited global responses are now discarded.
  • GO-2026-5019 The Verify() method for FIDO/U2F security key types (sk-ecdsa-sha2-nistp256@openssh.com, sk-ssh-ed25519@openssh.com) did not check the User Presence flag. Signatures generated without physical touch were accepted, allowing unattended use of a hardware security key. To restore the previous behavior, return a no-touch-required extension in Permissions.Extensions from PublicKeyCallback.
  • GO-2026-5021 Previously, a revoked SignatureKey belonging to a CA was not correctly checked for revocation. Now, both the key and key.SignatureKey are checked for @revoked.
  • GO-2026-5005 The in-memory keyring returned by NewKeyring() silently accepted keys with the ConfirmBeforeUse constraint but never enforced it. The key would sign without any confirmation prompt, with no indication to the caller that the constraint was not in effect. NewKeyring() now returns an error when unsupported constraints are requested.

Other changes

go mod tidy also pulled these sibling golang.org/x/* modules forward:

  • golang.org/x/net v0.49.0 → v0.54.0 (does not yet cover GO-2026-5026 — that requires v0.55.0 and will follow in a separate PR)
  • golang.org/x/mod v0.31.0 → v0.35.0
  • golang.org/x/sync v0.19.0 → v0.20.0
  • golang.org/x/sys v0.40.0 → v0.45.0
  • golang.org/x/telemetry bumped to v0.0.0-20260409153401-be6f6cb8b1fa
  • golang.org/x/term v0.39.0 → v0.43.0
  • golang.org/x/text v0.33.0 → v0.37.0
  • golang.org/x/tools v0.44.0 (from v0.40.0)

🤖 Generated with Claude Code

derek-etherton-opslevel and others added 2 commits July 7, 2026 11:19
Patches 7 critical CVEs in golang.org/x/crypto/ssh:
GO-2026-5020, 5023, 5006, 5017, 5019, 5021, 5005.

Requires Go 1.25.0 (per the x/crypto v0.52.0 go.mod directive).
Sibling x/* deps moved forward together via `go mod tidy`.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@derek-etherton-opslevel derek-etherton-opslevel changed the title Bump golang.org/x/crypto to v0.52.0 (7 SSH CVEs) Bump Go to 1.25 and golang.org/x/crypto to v0.52.0 (7 SSH CVEs) Jul 7, 2026
@derek-etherton-opslevel derek-etherton-opslevel changed the title Bump Go to 1.25 and golang.org/x/crypto to v0.52.0 (7 SSH CVEs) Bump Go to 1.25 and golang.org/x/crypto to v0.52.0 Jul 7, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant