From 0de84f01907df0a2f6ac88e141c1c997a25d5b0f Mon Sep 17 00:00:00 2001 From: Sebastiaan van Stijn Date: Tue, 19 Dec 2023 00:35:09 +0100 Subject: [PATCH] vendor: golang.org/x/crypto v0.17.0 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit no changes in vendored files full diff: https://github.com/golang/crypto/compare/v0.16.0...v0.17.0 from the security mailing: > Hello gophers, > > Version v0.17.0 of golang.org/x/crypto fixes a protocol weakness in the > golang.org/x/crypto/ssh package that allowed a MITM attacker to compromise > the integrity of the secure channel before it was established, allowing > them to prevent transmission of a number of messages immediately after > the secure channel was established without either side being aware. > > The impact of this attack is relatively limited, as it does not compromise > confidentiality of the channel. Notably this attack would allow an attacker > to prevent the transmission of the SSH2_MSG_EXT_INFO message, disabling a > handful of newer security features. > > This protocol weakness was also fixed in OpenSSH 9.6. > > Thanks to Fabian Bäumer, Marcus Brinkmann, and Jörg Schwenk from Ruhr > University Bochum for reporting this issue. > > This is CVE-2023-48795 and Go issue https://go.dev/issue/64784. > > Cheers, > Roland on behalf of the Go team Signed-off-by: Sebastiaan van Stijn --- vendor.mod | 2 +- vendor.sum | 4 ++-- vendor/modules.txt | 2 +- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/vendor.mod b/vendor.mod index f58b926590..2cfad9674d 100644 --- a/vendor.mod +++ b/vendor.mod @@ -79,7 +79,7 @@ require ( go.opentelemetry.io/otel v1.19.0 // indirect go.opentelemetry.io/otel/metric v1.19.0 // indirect go.opentelemetry.io/otel/trace v1.19.0 // indirect - golang.org/x/crypto v0.16.0 // indirect + golang.org/x/crypto v0.17.0 // indirect golang.org/x/mod v0.11.0 // indirect golang.org/x/net v0.17.0 // indirect golang.org/x/time v0.3.0 // indirect diff --git a/vendor.sum b/vendor.sum index c1b77b68e8..da2bc799c0 100644 --- a/vendor.sum +++ b/vendor.sum @@ -295,8 +295,8 @@ golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8U golang.org/x/crypto v0.0.0-20200302210943-78000ba7a073/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= golang.org/x/crypto v0.0.0-20201117144127-c1f2f97bffc9/go.mod h1:jdWPYTVW3xRLrWPugEBEK3UY2ZEsg3UU495nc5E+M+I= -golang.org/x/crypto v0.16.0 h1:mMMrFzRSCF0GvB7Ne27XVtVAaXLrPmgPC7/v0tkwHaY= -golang.org/x/crypto v0.16.0/go.mod h1:gCAAfMLgwOJRpTjQ2zCCt2OcSfYMTeZVSRtQlPC7Nq4= +golang.org/x/crypto v0.17.0 h1:r8bRNjWL3GshPW3gkd+RpvzWrZAwPS49OmTGZ/uhM4k= +golang.org/x/crypto v0.17.0/go.mod h1:gCAAfMLgwOJRpTjQ2zCCt2OcSfYMTeZVSRtQlPC7Nq4= golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.11.0 h1:bUO06HqtnRcc/7l71XBe4WcqTZ+3AH1J59zWDDwLKgU= diff --git a/vendor/modules.txt b/vendor/modules.txt index ec84d63ec1..7e9a66e167 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -305,7 +305,7 @@ go.opentelemetry.io/otel/metric/embedded # go.opentelemetry.io/otel/trace v1.19.0 ## explicit; go 1.20 go.opentelemetry.io/otel/trace -# golang.org/x/crypto v0.16.0 +# golang.org/x/crypto v0.17.0 ## explicit; go 1.18 golang.org/x/crypto/ed25519 golang.org/x/crypto/pbkdf2