deps: bump golang.org/x/crypto to v0.33.0 (fix CVE-2024-45337)#36
Conversation
Fixes CVE-2024-45337 (GHSA-v778-237x-gjrc): SSH PublicKeyCallback authorization bypass in golang.org/x/crypto/ssh. cbcopy does not import golang.org/x/crypto/ssh directly or transitively (verified via `go mod why golang.org/x/crypto/ssh`), so the vulnerable code path is not reachable. The bump is to keep SCA tooling (Dependency-Track and similar) from flagging the module-level CVE on cbcopy and downstream consumers. v0.33.0 is the highest x/crypto release whose go.mod still declares 'go 1.20'; v0.34.0 onwards declare 'go 1.23.0', which would force cbcopy's own 'go' directive up from 1.21. Staying at v0.33.0 keeps this PR scoped to a CVE fix and avoids dragging downstream builders into a Go toolchain upgrade. Supersedes the stale Dependabot proposal in cloudberry-contrib#11 (v0.31.0); once this merges, Dependabot will auto-close cloudberry-contrib#11.
Integration suite re-verification + per-failure root-cause analysisTo verify the "failure set identical to upstream/main" claim at spec-name granularity (not just aggregate counts), I re-ran Run summary
The two fail sets are byte-identical at spec-name granularity. The 77/80/82 swing in raw counts is entirely on 3 tablespace specs (see bucket 4 below) that flake regardless of branch — they pass on the very first run after a fully-clean cluster and fail on subsequent runs even after manual Per-failure root cause (all 80 fails)Each ginkgo
Bottom line
Environment: 4-host SynxDB4 4.5.0-rc.3 (1 coordinator + 1 standby + 16 primary segs + 16 mirrors), |
Follow-up notesThree supplemental disclosures from a second-pass review, to spare future reviewers from re-asking. 1. SCRAM-SHA-256 /
|
What
Bump
golang.org/x/cryptofromv0.21.0tov0.33.0.Why
Fixes CVE-2024-45337
(GHSA-v778-237x-gjrc) — SSH
PublicKeyCallbackauthorization bypass ingolang.org/x/crypto/ssh. First fixed in x/cryptov0.31.0.Reachability
cbcopy does not import
golang.org/x/crypto/sshdirectly ortransitively:
The only sub-package actually pulled in is
golang.org/x/crypto/pbkdf2,via
pgconnfor PostgreSQL SCRAM-SHA-256 auth. That sub-package isunaffected by the CVE.
The bump is therefore a module-level CVE clearance for SCA tooling
(Dependency-Track and similar), not a fix for an actually exploitable
path in cbcopy.
Why v0.33.0 specifically (not v0.31.0, not v0.51.0)
godirectivego 1.21go 1.20go 1.20go 1.23.0godirective up to 1.23v0.33.0is the highest x/crypto release that does not forcecbcopy's
godirective past1.21. It picks up additional fixesshipped between
v0.31andv0.33without dragging downstream buildersinto a Go toolchain upgrade. Going to
v0.34+raises the project'sminimum Go to 1.23 and is out of scope for this PR.
Diff
go.mod: one line bumped forx/crypto;godirective unchanged(still
go 1.21); notoolchaindirective introduced. Siblinggolang.org/x/{sys,net,text,tools}refreshed to their minimumversions required by v0.33.0;
go-cmpbumped to v0.6.0 (test util,pulled by
x/tools).go.sum: corresponding refreshes only.pgx,pgconn,go-sqlmockuntouched).
Verification
Static / build:
grep '^go ' go.mod→ stillgo 1.21grep '^toolchain ' go.mod→ no matchgo mod why golang.org/x/crypto/ssh→ "main module does not need..."go build ./...cleanmake buildproduces bothcbcopyandcbcopy_helperbinariesgo vet ./...— output identical to upstream/main baseline (onepre-existing
testutils/functions.go:648 unreachable codewarning,not introduced by this PR)
go test -ccompiles for./copy/...,./helper/...,./internal/dbconn/...Tests (4-host SynxDB4 cluster, A/B'd against upstream/main with the same env):
internal/dbconn,meta/builtin,meta/builtin/toc,option,testutils,utils) — green./integrationsuite — 365 passed / 82 failed; failureset identical to upstream/main, no regression from this PR
./end_to_endsuite — 15 passed / 0 failed;Relation to #11
Dependabot opened #11 in Feb 2025 proposing
v0.31.0. That PR has beenidle for 30+ days and lost auto-rebase. This PR proposes the same fix
at a slightly higher patch level (
v0.33.0) that is the ceiling underthe current
go 1.21directive. Once this merges, Dependabot willrecognise
v0.33.0 >= v0.31.0and auto-close #11. No need to close#11 manually.