Skip to content

[release-2.8] backend: bump golang.org/x/crypto to v0.52.0 to address Snyk findings#2470

Merged
c-julin merged 1 commit into
release-2.8from
tb/snyk-crypto-0.52-release-2.8
May 27, 2026
Merged

[release-2.8] backend: bump golang.org/x/crypto to v0.52.0 to address Snyk findings#2470
c-julin merged 1 commit into
release-2.8from
tb/snyk-crypto-0.52-release-2.8

Conversation

@twmb

@twmb twmb commented May 26, 2026

Copy link
Copy Markdown
Contributor

Summary

Backport of the master fix (#2469) to release-2.8.

Bump golang.org/x/crypto from v0.51.0 to v0.52.0 to address 6 HIGH severity Snyk findings in golang.org/x/crypto/ssh.

Vulnerabilities addressed

CVE Go vuln Title
CVE-2026-39831 GO-2026-5019 Improper Authentication
CVE-2026-39827 GO-2026-5016 Missing Release of Resource after Effective Lifetime
CVE-2026-42508 GO-2026-5021 Improper Check for Certificate Revocation (knownhosts)
CVE-2026-46597 GO-2026-5013 Incorrect Type Conversion or Cast
CVE-2026-46598 GO-2026-5033 Incorrect Type Conversion or Cast (ssh/agent)
CVE-2026-39835 GO-2026-5015 Uncaught Exception

Snyk links:

Test plan

  • CI passes

🤖 Generated with Claude Code

… Snyk findings

Backport of the master fix. Addresses the following HIGH severity
vulnerabilities in golang.org/x/crypto/ssh:

* CVE-2026-39831 / GO-2026-5019 - Improper Authentication
* CVE-2026-39827 / GO-2026-5016 - Missing Release of Resource after Effective Lifetime
* CVE-2026-42508 / GO-2026-5021 - Improper Check for Certificate Revocation (knownhosts)
* CVE-2026-46597 / GO-2026-5013 - Incorrect Type Conversion or Cast
* CVE-2026-46598 / GO-2026-5033 - Incorrect Type Conversion or Cast (agent)
* CVE-2026-39835 / GO-2026-5015 - Uncaught Exception

Snyk:
* https://app.snyk.io/vuln/SNYK-GOLANG-GOLANGORGXCRYPTOSSH-16795344
* https://app.snyk.io/vuln/SNYK-GOLANG-GOLANGORGXCRYPTOSSH-16795342
* https://app.snyk.io/vuln/SNYK-GOLANG-GOLANGORGXCRYPTOSSHKNOWNHOSTS-16796449
* https://app.snyk.io/vuln/SNYK-GOLANG-GOLANGORGXCRYPTOSSH-16796326
* https://app.snyk.io/vuln/SNYK-GOLANG-GOLANGORGXCRYPTOSSHAGENT-16796334
* https://app.snyk.io/vuln/SNYK-GOLANG-GOLANGORGXCRYPTOSSH-16796332

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@c-julin c-julin merged commit 675bfda into release-2.8 May 27, 2026
3 of 5 checks passed
@c-julin c-julin deleted the tb/snyk-crypto-0.52-release-2.8 branch May 27, 2026 10:36
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants