x/mod: uses crypto version with CVE

[alexhudici]

CVE-2020-9283
synk.io
cve.mitre.org

Does this issue reproduce with the latest release?

The master branch currently has v0.0.0-20191011191535-87dc89f01550

[toothrot]

@bcmills @jayconrod @matloob

[jayconrod]

The only package in golang.org/x/crypto transitively imported by packages in golang.org/x/mod is golang.org/x/crypto/ed25519, so I don't believe we're affected by this.

Of course, there's no harm in updating the dependency.

(In the future, it's preferred to report security issues by emailing security@golang.org instead of opening a public issue, in case a vulnerability needs to be resolved discreetly. https://golang.org/security explains more).

[gopherbot]

Change https://golang.org/cl/355630 mentions this issue: x/mod: update requirement on x/crypto