OCPBUGS-96784: bump golang.org/x/crypto to v0.52.0 for CVE-2026-39829#16734
OCPBUGS-96784: bump golang.org/x/crypto to v0.52.0 for CVE-2026-39829#16734Cragsmann wants to merge 2 commits into
Conversation
Fixes denial of service via crafted public key with excessive RSA/DSA parameters in golang.org/x/crypto/ssh. Upgrades golang.org/x/crypto from v0.51.0 to v0.52.0.
|
Pipeline controller notification For optional jobs, comment This repository is configured in: LGTM mode |
|
@Cragsmann: This pull request references Jira Issue OCPBUGS-96784, which is valid. The bug has been moved to the POST state. 3 validation(s) were run on this bug
The bug has been updated to refer to the pull request using the external bug tracker. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
|
Important Review skippedReview was skipped due to path filters ⛔ Files ignored due to path filters (12)
CodeRabbit blocks several paths by default. You can override this behavior by explicitly including those paths in the path filters. For example, including ⚙️ Run configurationConfiguration used: Repository: openshift/coderabbit/.coderabbit.yaml Review profile: CHILL Plan: Enterprise Run ID: You can disable this status message by setting the Use the checkbox below for a quick retry:
WalkthroughThis change updates the indirect Go module dependency ChangesDependency Update
Estimated code review effort: 1 (Trivial) | ~2 minutes Possibly related issues
🚥 Pre-merge checks | ✅ 14 | ❌ 1❌ Failed checks (1 warning)
✅ Passed checks (14 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: Cragsmann The full list of commands accepted by this bot can be found here. DetailsNeeds approval from an approver in each of these files:Approvers can indicate their approval by writing |
|
@Cragsmann: This pull request references Jira Issue OCPBUGS-96784, which is valid. 3 validation(s) were run on this bug
DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
Run `go mod tidy && go mod vendor` to fix vendor inconsistency detected by CI. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
|
/retest |
2 similar comments
|
/retest |
|
/retest |
|
@Cragsmann: all tests passed! Full PR test history. Your PR dashboard. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
Summary
golang.org/x/cryptofrom v0.51.0 to v0.52.0Details
Prior to v0.52.0, the SSH public key parsers in golang.org/x/crypto/ssh did not enforce size limits on incoming RSA/DSA key parameters. An unauthenticated attacker could submit a crafted public key with pathologically large parameters, causing intensive CPU computation during signature verification and leading to denial of service.
Test plan
go mod verifypassesFixes: https://issues.redhat.com/browse/OCPBUGS-96784
Summary by CodeRabbit
golang.org/x/crypto, to a newer version.