Skip to content

Upgrade golang.org/x/crypto to version 0.0.0-20200220183623-bac4c82f6975 or higher. #451

New issue
New issue
Closed
#503
newrelic/docs-website
#7786
Closed
Upgrade golang.org/x/crypto to version 0.0.0-20200220183623-bac4c82f6975 or higher.#451
#503
newrelic/docs-website
#7786
Labels
Quality & UXCode Quality and User Experiencebuggood first issue
@IzhakJakov

Description

@IzhakJakov
IzhakJakov
opened on Feb 10, 2022

Description

golang.org/x/crypto is a SSH client and server

Affected versions of this package are vulnerable to Improper Signature Verification. An attacker can craft an ssh-ed25519 or sk-ssh-...@openssh.com public key, such that the library will panic when trying to verify a signature with it. Clients can deliver such a public key and signature to any golang.org/x/crypto/ssh server with a PublicKeyCallback, and servers can deliver them to any golang.org/x/crypto/ssh client

Reference: https://security.snyk.io/vuln/SNYK-GOLANG-GOLANGORGXCRYPTO-1083910

Steps to Reproduce

〉git clone 'https://github.com/newrelic/go-agent'

〉cd go-agent/v3

〉ggdh 'golang.org/x/crypto@v0.0.0-20190308221718-c2843e01d9a2'
             github.com/newrelic/go-agent/v3
                            ⬇
              google.golang.org/grpc@v1.27.0
                            ⬇
   golang.org/x/net@v0.0.0-20190311183353-d8887717615a
                            ⬇
  golang.org/x/crypto@v0.0.0-20190308221718-c2843e01d9a2

Expected Behavior

〉git clone 'https://github.com/newrelic/go-agent'

〉cd go-agent/v3

〉ggdh 'golang.org/x/crypto@v0.0.0-20190308221718-c2843e01d9a2'
"golang.org/x/crypto@v0.0.0-20190308221718-c2843e01d9a2" is not a dependency of this package.

Metadata

Metadata

Assignees

No one assigned

    Labels

    Quality & UXCode Quality and User Experiencebuggood first issue

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions