marty-media/server
1
0
Fork 0
Code Issues 9 Pull requests 10 Projects Releases 75 Packages Wiki Activity Actions

chore: [security] bump golang.org/x/crypto from 0.31.0 to 0.35.0 #445

Closed
martinr92 wants to merge 1 commit from dependabot-go_modules-develop-golang.org-x-crypto-0.35.0 into develop
pull from: dependabot-go_modules-develop-golang.org-x-crypto-0.35.0
merge into: marty-media:develop
Conversation 2 Commits 1 Files changed 2 +6 -7
martinr92 commented 2025-04-15 02:57:19 +00:00 (Migrated from gitlab.com)
Copy link

Bumps golang.org/x/crypto from 0.31.0 to 0.35.0. This update includes a security fix.

Vulnerabilities fixed

golang.org/x/crypto Vulnerable to Denial of Service (DoS) via Slow or Incomplete Key Exchange
SSH servers which implement file transfer protocols are vulnerable to a denial of service attack from clients which complete the key exchange slowly, or not at all, causing pending content to be read into memory, but never transmitted.

Patched versions: 0.35.0
Affected versions: < 0.35.0

Commits
  • 7292932 ssh: limit the size of the internal packet queue while waiting for KEX
  • f66f74b acme/autocert: check host policy before probing the cache
  • b0784b7 x509roots/fallback: drop obsolete build constraint
  • 911360c all: bump golang.org/x/crypto dependencies of asm generators
  • 89ff08d all: upgrade go directive to at least 1.23.0 [generated]
  • e47973b all: update certs for go1.24
  • 9290511 go.mod: update golang.org/x dependencies
  • fa5273e x509roots/fallback: update bundle
  • a8ea4be ssh: add ServerConfig.PreAuthConnCallback, ServerPreAuthConn (banner) interface
  • 71d3a4c acme: support challenges that require the ACME client to send a non-empty JSO...
  • Additional commits viewable in compare view

Bumps [golang.org/x/crypto](https://github.com/golang/crypto) from 0.31.0 to 0.35.0. **This update includes a security fix.** <details> <summary>Vulnerabilities fixed</summary> <blockquote> <p><strong>golang.org/x/crypto Vulnerable to Denial of Service (DoS) via Slow or Incomplete Key Exchange</strong><br /> SSH servers which implement file transfer protocols are vulnerable to a denial of service attack from clients which complete the key exchange slowly, or not at all, causing pending content to be read into memory, but never transmitted.</p> <p>Patched versions: 0.35.0<br /> Affected versions: &lt; 0.35.0</p> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/golang/crypto/commit/7292932d45d55c7199324ab0027cc86e8198aa22"><code>7292932</code></a> ssh: limit the size of the internal packet queue while waiting for KEX</li> <li><a href="https://github.com/golang/crypto/commit/f66f74b0a406b5f6909183531ace593857f1646c"><code>f66f74b</code></a> acme/autocert: check host policy before probing the cache</li> <li><a href="https://github.com/golang/crypto/commit/b0784b7bfbe0b2c9a59afc1248ed3cb4b6652e85"><code>b0784b7</code></a> x509roots/fallback: drop obsolete build constraint</li> <li><a href="https://github.com/golang/crypto/commit/911360c8a4f464342b9fe7c23632be57fca87b20"><code>911360c</code></a> all: bump golang.org/x/crypto dependencies of asm generators</li> <li><a href="https://github.com/golang/crypto/commit/89ff08d67c4d79f9ac619aaf1f7388888798651f"><code>89ff08d</code></a> all: upgrade go directive to at least 1.23.0 [generated]</li> <li><a href="https://github.com/golang/crypto/commit/e47973b1c1089f6c67ab89261f7aa067b3d611d2"><code>e47973b</code></a> all: update certs for go1.24</li> <li><a href="https://github.com/golang/crypto/commit/9290511cd23ab9813a307b7f2615325e3ca98902"><code>9290511</code></a> go.mod: update golang.org/x dependencies</li> <li><a href="https://github.com/golang/crypto/commit/fa5273e461966728f91f33da62c0cf511a404c2a"><code>fa5273e</code></a> x509roots/fallback: update bundle</li> <li><a href="https://github.com/golang/crypto/commit/a8ea4be81f0769fd5857e087083cbb6d3cb9f196"><code>a8ea4be</code></a> ssh: add ServerConfig.PreAuthConnCallback, ServerPreAuthConn (banner) interface</li> <li><a href="https://github.com/golang/crypto/commit/71d3a4cfdb0360795ce5f2d7041e01823fd22eb6"><code>71d3a4c</code></a> acme: support challenges that require the ACME client to send a non-empty JSO...</li> <li>Additional commits viewable in <a href="https://github.com/golang/crypto/compare/v0.31.0...v0.35.0">compare view</a></li> </ul> </details> <br />
martinr92 commented 2025-04-15 02:57:19 +00:00 (Migrated from gitlab.com)
Copy link

assigned to @martinr92

assigned to @martinr92
martinr92 commented 2025-05-04 02:59:52 +00:00 (Migrated from gitlab.com)
Copy link

added 22 commits

  • 7bf57bf1...88377c6c - 21 commits from branch develop
  • bc148953 - chore: [security] bump golang.org/x/crypto from 0.31.0 to 0.35.0

Compare with previous version

added 22 commits <ul><li>7bf57bf1...88377c6c - 21 commits from branch <code>develop</code></li><li>bc148953 - chore: [security] bump golang.org/x/crypto from 0.31.0 to 0.35.0</li></ul> [Compare with previous version](/marty-media/server/-/merge_requests/421/diffs?diff_id=1346048817&start_sha=7bf57bf1d670643a322472e866715fe9ffd3497a)
martinr92 (Migrated from gitlab.com) closed this pull request 2025-05-15 17:05:00 +00:00

Pull request closed

This pull request cannot be reopened because the branch was deleted.
Sign in to join this conversation.
Reviewers
No reviewers
Labels
Clear labels   
bug

   
confirmed

   
critical

   
dependencies
Pull requests that update a dependency file

  
discussion

   
docker

   
documentation

   
enhancement

   
go

   
javascript

   
security
Pull requests that address a security vulnerability

  
severity:high

   
severity:low

   
severity:moderate

   
suggestion

   
support
No labels
bug
confirmed
critical
dependencies
discussion
docker
documentation
enhancement
go
javascript
security
severity:high
severity:low
severity:moderate
suggestion
support
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
marty-media/server!445
No description provided.