Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update module golang.org/x/crypto to v0.31.0 [SECURITY] #493

Merged
merged 1 commit into from
Dec 16, 2024

Conversation

gardener-ci-robot
Copy link
Contributor

@gardener-ci-robot gardener-ci-robot commented Dec 12, 2024

This PR contains the following updates:

Package Type Update Change
golang.org/x/crypto require minor v0.30.0 -> v0.31.0

GitHub Vulnerability Alerts

CVE-2024-45337

Applications and libraries which misuse the ServerConfig.PublicKeyCallback callback may be susceptible to an authorization bypass.

The documentation for ServerConfig.PublicKeyCallback says that "A call to this function does not guarantee that the key offered is in fact used to authenticate." Specifically, the SSH protocol allows clients to inquire about whether a public key is acceptable before proving control of the corresponding private key. PublicKeyCallback may be called with multiple keys, and the order in which the keys were provided cannot be used to infer which key the client successfully authenticated with, if any. Some applications, which store the key(s) passed to PublicKeyCallback (or derived information) and make security relevant determinations based on it once the connection is established, may make incorrect assumptions.

For example, an attacker may send public keys A and B, and then authenticate with A. PublicKeyCallback would be called only twice, first with A and then with B. A vulnerable application may then make authorization decisions based on key B for which the attacker does not actually control the private key.

Since this API is widely misused, as a partial mitigation golang.org/x/crypto@v0.31.0 enforces the property that, when successfully authenticating via public key, the last key passed to ServerConfig.PublicKeyCallback will be the key used to authenticate the connection. PublicKeyCallback will now be called multiple times with the same key, if necessary. Note that the client may still not control the last key passed to PublicKeyCallback if the connection is then authenticated with a different method, such as PasswordCallback, KeyboardInteractiveCallback, or NoClientAuth.

Users should be using the Extensions field of the Permissions return value from the various authentication callbacks to record data associated with the authentication attempt instead of referencing external state. Once the connection is established the state corresponding to the successful authentication attempt can be retrieved via the ServerConn.Permissions field. Note that some third-party libraries misuse the Permissions type by sharing it across authentication attempts; users of third-party libraries should refer to the relevant projects for guidance.


Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR has been generated by Renovate Bot.

@gardener-ci-robot gardener-ci-robot requested a review from a team as a code owner December 12, 2024 00:37
@gardener-ci-robot gardener-ci-robot added the kind/enhancement Enhancement, improvement, extension label Dec 12, 2024
@gardener-robot
Copy link

@gardener-ci-robot Thank you for your contribution.

@gardener-robot gardener-robot added needs/review Needs review size/s Size of pull request is small (see gardener-robot robot/bots/size.py) labels Dec 12, 2024
@gardener-ci-robot gardener-ci-robot force-pushed the renovate/go-golang.org-x-crypto-vulnerability branch from c5c668a to bff2df7 Compare December 13, 2024 14:07
@gardener-robot-ci-1 gardener-robot-ci-1 added the reviewed/ok-to-test Has approval for testing (check PR in detail before setting this label because PR is run on CI/CD) label Dec 13, 2024
@gardener-robot-ci-3 gardener-robot-ci-3 added needs/ok-to-test Needs approval for testing (check PR in detail before setting this label because PR is run on CI/CD) and removed reviewed/ok-to-test Has approval for testing (check PR in detail before setting this label because PR is run on CI/CD) labels Dec 13, 2024
@gardener-robot gardener-robot added the needs/rebase Needs git rebase label Dec 16, 2024
@gardener-robot
Copy link

@gardener-ci-robot You need rebase this pull request with latest master branch. Please check.

@gardener-ci-robot gardener-ci-robot force-pushed the renovate/go-golang.org-x-crypto-vulnerability branch from bff2df7 to 9a65404 Compare December 16, 2024 15:12
@gardener-robot-ci-3 gardener-robot-ci-3 added the reviewed/ok-to-test Has approval for testing (check PR in detail before setting this label because PR is run on CI/CD) label Dec 16, 2024
@gardener-robot gardener-robot added the size/xs Size of pull request is tiny (see gardener-robot robot/bots/size.py) label Dec 16, 2024
@gardener-robot-ci-2 gardener-robot-ci-2 removed the reviewed/ok-to-test Has approval for testing (check PR in detail before setting this label because PR is run on CI/CD) label Dec 16, 2024
@gardener-robot gardener-robot removed the size/s Size of pull request is small (see gardener-robot robot/bots/size.py) label Dec 16, 2024
@petersutter petersutter merged commit 28af4de into master Dec 16, 2024
9 checks passed
@petersutter petersutter deleted the renovate/go-golang.org-x-crypto-vulnerability branch December 16, 2024 15:18
@gardener-robot gardener-robot added the status/closed Issue is closed (either delivered or triaged) label Dec 16, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
kind/enhancement Enhancement, improvement, extension needs/ok-to-test Needs approval for testing (check PR in detail before setting this label because PR is run on CI/CD) needs/rebase Needs git rebase needs/review Needs review size/xs Size of pull request is tiny (see gardener-robot robot/bots/size.py) status/closed Issue is closed (either delivered or triaged)
Projects
None yet
Development

Successfully merging this pull request may close these issues.

6 participants