[release/1.6] backport: vendor: golang.org/x/crypto v0.0.0-20220315160706-3147a52a75dd#7340
Conversation
|
Hi @dcermak. Thanks for your PR. I'm waiting for a containerd member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
The build failures are due to the rocky linux 8 vagrant box not existing and the windows MinGW script failing to execute. |
estesp
changed the title
full diff: golang/crypto@32db794...3147a52 This version contains a fix for CVE-2022-27191 (not sure if it affects us). From the golang mailing list: Hello gophers, Version v0.0.0-20220315160706-3147a52a75dd of golang.org/x/crypto/ssh implements client authentication support for signature algorithms based on SHA-2 for use with existing RSA keys. Previously, a client would fail to authenticate with RSA keys to servers that reject signature algorithms based on SHA-1. This includes OpenSSH 8.8 by default and—starting today March 15, 2022 for recently uploaded keys. We are providing this announcement as the error (“ssh: unable to authenticate”) might otherwise be difficult to troubleshoot. Version v0.0.0-20220314234659-1baeb1ce4c0b (included in the version above) also fixes a potential security issue where an attacker could cause a crash in a golang.org/x/crypto/ssh server under these conditions: - The server has been configured by passing a Signer to ServerConfig.AddHostKey. - The Signer passed to AddHostKey does not also implement AlgorithmSigner. - The Signer passed to AddHostKey does return a key of type “ssh-rsa” from its PublicKey method. Servers that only use Signer implementations provided by the ssh package are unaffected. This is CVE-2022-27191. Alla prossima, Filippo for the Go Security team Signed-off-by: Sebastiaan van Stijn <[email protected]> Signed-off-by: Dan Čermák <[email protected]> (cherry picked from commit 9aadef1)
dcermak
force-pushed
the
backport-golang-x-crypto-vendor
branch
from
ec80b95 to
5b44c52
Compare
5 participants
This is a backport of #6687 to the release 1.6 branch