Bump Go to 1.25 and golang.org/x/crypto to v0.52.0#657
Open
derek-etherton-opslevel wants to merge 2 commits into
Open
Bump Go to 1.25 and golang.org/x/crypto to v0.52.0#657derek-etherton-opslevel wants to merge 2 commits into
derek-etherton-opslevel wants to merge 2 commits into
Conversation
Patches 7 critical CVEs in golang.org/x/crypto/ssh: GO-2026-5020, 5023, 5006, 5017, 5019, 5021, 5005. Requires Go 1.25.0 (per the x/crypto v0.52.0 go.mod directive). Sibling x/* deps moved forward together via `go mod tidy`. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR raises the minimum Go version and patches seven critical CVEs in
golang.org/x/crypto/ssh. Building the provider from source now requires Go 1.25.0 (up from 1.24.0), becausegolang.org/x/cryptov0.52.0 sets that as itsgodirective minimum.CI reads the Go version from
go.mod(go-version-file: go.mod), so no workflow changes are needed. Consumers who install the published provider binary are unaffected.Go requirement
go.modgodirective:1.24.0→1.25.0toolchain go1.24.2line removed (implied by the new directive)Dependency bumps
Bumps golang.org/x/crypto from 0.47.0 to 0.52.0.
Commit history between tags: golang/crypto@v0.47.0...v0.52.0
Security fixes
This upgrade patches 7 critical CVEs, all in
golang.org/x/crypto/ssh.0.52.0
Writecall on an SSH channel, an integer overflow in the internal payload size calculation caused the write loop to spin indefinitely, sending empty packets without making progress. The size comparison now usesint64to prevent truncation.restrict-destination-v00@openssh.comwere not serialized in the request. Destination restrictions were silently stripped when forwarding keys, allowing unrestricted use of the key on the remote host. The client now serializes all constraint extensions. Additionally, the in-memory keyring returned byNewKeyring()now rejects keys with unsupported constraint extensions instead of silently ignoring them.Close(), resulting in a resource leak per connection. Unsolicited global responses are now discarded.Verify()method for FIDO/U2F security key types (sk-ecdsa-sha2-nistp256@openssh.com,sk-ssh-ed25519@openssh.com) did not check the User Presence flag. Signatures generated without physical touch were accepted, allowing unattended use of a hardware security key. To restore the previous behavior, return ano-touch-requiredextension inPermissions.ExtensionsfromPublicKeyCallback.SignatureKeybelonging to a CA was not correctly checked for revocation. Now, both thekeyandkey.SignatureKeyare checked for@revoked.NewKeyring()silently accepted keys with theConfirmBeforeUseconstraint but never enforced it. The key would sign without any confirmation prompt, with no indication to the caller that the constraint was not in effect.NewKeyring()now returns an error when unsupported constraints are requested.Other changes
go mod tidyalso pulled these siblinggolang.org/x/*modules forward:golang.org/x/netv0.49.0 → v0.54.0 (does not yet cover GO-2026-5026 — that requires v0.55.0 and will follow in a separate PR)golang.org/x/modv0.31.0 → v0.35.0golang.org/x/syncv0.19.0 → v0.20.0golang.org/x/sysv0.40.0 → v0.45.0golang.org/x/telemetrybumped tov0.0.0-20260409153401-be6f6cb8b1fagolang.org/x/termv0.39.0 → v0.43.0golang.org/x/textv0.33.0 → v0.37.0golang.org/x/toolsv0.44.0 (from v0.40.0)🤖 Generated with Claude Code