marty-media/server
1
0
Fork 0
Code Issues 9 Pull requests 10 Projects Releases 75 Packages Wiki Activity Actions

golang.org/x/crypto Vulnerable to Denial of Service (DoS) via Slow or Incomplete Key Exchange #23

New issue
Closed
opened 2025-05-15 17:18:36 +00:00 by martinr92 · 1 comment
martinr92 commented 2025-05-15 17:18:36 +00:00 (Migrated from gitlab.com)
Copy link

⚠️ dependabot-gitlab has detected security vulnerability for golang.org/x/crypto in path: /, manifest_file: /go.mod but was unable to update it! ⚠️

Package Severity Affected versions Patched versions IDs
golang.org/x/crypto (GO) HIGH < 0.35.0 0.35.0 GHSA-hcg3-q754-cr77,CVE-2025-22869

Description

SSH servers which implement file transfer protocols are vulnerable to a denial of service attack from clients which complete the key exchange slowly, or not at all, causing pending content to be read into memory, but never transmitted.

References

⚠️ `dependabot-gitlab` has detected security vulnerability for `golang.org/x/crypto` in path: `/`, manifest_file: `/go.mod` but was unable to update it! ⚠️ * https://github.com/advisories/GHSA-hcg3-q754-cr77 | Package | Severity | Affected versions | Patched versions | IDs | |--------------------------|----------|-------------------|------------------|----------------------------------------| | golang.org/x/crypto (GO) | HIGH | < 0.35.0 | 0.35.0 | `GHSA-hcg3-q754-cr77`,`CVE-2025-22869` | # Description SSH servers which implement file transfer protocols are vulnerable to a denial of service attack from clients which complete the key exchange slowly, or not at all, causing pending content to be read into memory, but never transmitted. # References * https://nvd.nist.gov/vuln/detail/CVE-2025-22869 * https://go.dev/cl/652135 * https://go.dev/issue/71931 * https://pkg.go.dev/vuln/GO-2025-3487 * https://security.netapp.com/advisory/ntap-20250411-0010 * https://github.com/golang/crypto/commit/7292932d45d55c7199324ab0027cc86e8198aa22 * https://go-review.googlesource.com/c/crypto/+/652135 * https://github.com/advisories/GHSA-hcg3-q754-cr77
martinr92 commented 2025-05-15 18:32:52 +00:00 (Migrated from gitlab.com)
Copy link

mentioned in commit 7178587617

mentioned in commit 717858761777f81aa6cd8896e193bfb4d8a5e830
martinr92 (Migrated from gitlab.com) closed this issue 2025-05-15 18:37:18 +00:00
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
main
renovate/https-github.com-sonarsource-sonarqube-scan-action-8.x
renovate/vue-tsc-3.x-lockfile
renovate/eslint-plugin-vue-10.x-lockfile
renovate/github.com-jackc-pgx-v5-5.x
renovate/vue-router-5.x-lockfile
renovate/lucide-vue-1.x-lockfile
renovate/vue-3.x-lockfile
renovate/vite-8.x-lockfile
renovate/eslint-10.x-lockfile
develop
feature/plugins
beta
dependabot-npm_and_yarn-develop-eslint-9.33.0
v1.0.7
v1.0.7-beta.1
v1.0.6
v1.0.6-beta.2
v1.0.6-beta.1
v1.0.5
v1.0.5-beta.1
v1.0.4
v1.0.4-beta.1
v1.0.3
v1.0.3-beta.1
v1.0.2
v1.0.2-beta.1
v1.0.1
v1.0.1-beta.1
v1.0.0
v1.0.0-beta.1
v0.10.1
v0.10.1-beta.1
v0.10.0
v0.10.0-beta.4
v0.10.0-beta.3
v0.10.0-beta.2
v0.10.0-beta.1
v0.9.2
v0.9.2-beta.1
v0.9.1
v0.9.1-beta.1
v0.9.0
v0.9.0-beta.1
v0.8.0
v0.8.0-beta.1
v0.7.0
v0.7.0-beta.1
v0.6.0
v0.6.0-beta.1
v0.5.7
v0.5.7-beta.2
v0.5.7-beta.1
v0.5.6
v0.5.6-beta.1
v0.5.5
v0.5.5-beta.1
v0.5.4
v0.5.4-beta.1
v0.5.3
v0.5.3-beta.1
v0.5.2
v0.5.2-beta.1
v0.5.1
v0.5.1-beta.1
v0.5.0
v0.5.0-beta.1
v0.4.6
v0.4.6-beta.1
v0.4.5
v0.4.5-beta.1
v0.4.4
v0.4.4-beta.1
v0.4.3
v0.4.3-beta.1
v0.4.2
v0.4.2-beta.1
v0.4.1
v0.4.1-beta.1
v0.4.0
v0.4.0-beta.1
v0.3.0
v0.3.0-beta.2
v0.3.0-beta.1
v0.2.0
v0.2.0-beta.2
v0.2.0-beta.1
v0.1.1
v0.1.1-beta5
v0.1.1-beta4
v0.1.1-beta3
v0.1.1-beta2
v0.1.1-beta1
v0.1.0
v0.1.0-beta1
Labels
Clear labels   
bug

   
confirmed

   
critical

   
dependencies
Pull requests that update a dependency file

  
discussion

   
docker

   
documentation

   
enhancement

   
go

   
javascript

   
security
Pull requests that address a security vulnerability

  
severity:high

   
severity:low

   
severity:moderate

   
suggestion

   
support
No labels
bug
confirmed
critical
dependencies
discussion
docker
documentation
enhancement
go
javascript
security
severity:high
severity:low
severity:moderate
suggestion
support
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
marty-media/server#23
No description provided.