Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Upgrade golang.org/x/crypto to v0.17.0 to fix vulnerability issue #2562

Merged

Conversation

nicumaxian
Copy link
Contributor

@nicumaxian nicumaxian commented Dec 19, 2023

Vulnerability found on 12/18/2023 regarding to golang.org/x/crypto for versions v0.16.0and below.

https://nvd.nist.gov/vuln/detail/CVE-2023-48795 | https://pkg.go.dev/vuln/GO-2023-2402

This MR upgrades dependency to v0.17.0 to avoid vulnerability issue.

@aldas
Copy link
Contributor

aldas commented Dec 19, 2023

affected packages: golang.org/x/crypto/ssh as per https://pkg.go.dev/vuln/GO-2023-2402 this should not be a problem for HTTP(s) related stuff. but I will tag a patch release today.

@aldas aldas merged commit 287a82c into labstack:master Dec 19, 2023
14 checks passed
@aldas aldas mentioned this pull request Dec 20, 2023
@aldas
Copy link
Contributor

aldas commented Dec 20, 2023

patch version v4.11.4 is released. Maybe this helps people with "loud" security scanners.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants