[openshift-5.0] OCPBUGS-97969 OCPBUGS-98134 OCPBUGS-95514 OCPBUGS-93620 OCPBUGS-98913 OCPBUGS-98911 OCPBUGS-98909: Bump golang.org/x/crypto to v0.52.0#625
Conversation
Remediates CVE-2026-39829: RSA/DSA public key parsers in golang.org/x/crypto/ssh did not enforce size limits on key parameters, allowing DoS via CPU exhaustion. Transitive bumps: - golang.org/x/sync v0.19.0 → v0.20.0 - golang.org/x/net v0.49.0 → v0.54.0 - golang.org/x/sys v0.40.0 → v0.45.0 - golang.org/x/term v0.39.0 → v0.43.0 - golang.org/x/text v0.33.0 → v0.37.0 Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
|
@AkashMore08: This pull request references Jira Issue OCPBUGS-97969, which is valid. The bug has been moved to the POST state. 3 validation(s) were run on this bug
Requesting review from QA contact: The bug has been updated to refer to the pull request using the external bug tracker. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: AkashMore08 The full list of commands accepted by this bot can be found here. DetailsNeeds approval from an approver in each of these files:Approvers can indicate their approval by writing |
|
@AkashMore08: all tests passed! Full PR test history. Your PR dashboard. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
|
@AkashMore08: This pull request references Jira Issue OCPBUGS-97969, which is valid. 3 validation(s) were run on this bug
Requesting review from QA contact: The bug has been updated to refer to the pull request using the external bug tracker. This pull request references Jira Issue OCPBUGS-98134, which is valid. The bug has been moved to the POST state. 3 validation(s) were run on this bug
Requesting review from QA contact: The bug has been updated to refer to the pull request using the external bug tracker. This pull request references Jira Issue OCPBUGS-95514, which is valid. The bug has been moved to the POST state. 3 validation(s) were run on this bug
Requesting review from QA contact: The bug has been updated to refer to the pull request using the external bug tracker. This pull request references Jira Issue OCPBUGS-93620, which is valid. The bug has been moved to the POST state. 3 validation(s) were run on this bug
Requesting review from QA contact: The bug has been updated to refer to the pull request using the external bug tracker. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
|
@AkashMore08: This pull request references Jira Issue OCPBUGS-97969, which is valid. 3 validation(s) were run on this bug
Requesting review from QA contact: This pull request references Jira Issue OCPBUGS-98134, which is valid. 3 validation(s) were run on this bug
Requesting review from QA contact: This pull request references Jira Issue OCPBUGS-95514, which is valid. 3 validation(s) were run on this bug
Requesting review from QA contact: This pull request references Jira Issue OCPBUGS-93620, which is valid. 3 validation(s) were run on this bug
Requesting review from QA contact: DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
|
/hold |
|
@AkashMore08: This pull request references Jira Issue OCPBUGS-97969, which is valid. 3 validation(s) were run on this bug
Requesting review from QA contact: The bug has been updated to refer to the pull request using the external bug tracker. This pull request references Jira Issue OCPBUGS-98134, which is valid. 3 validation(s) were run on this bug
Requesting review from QA contact: The bug has been updated to refer to the pull request using the external bug tracker. This pull request references Jira Issue OCPBUGS-95514, which is valid. 3 validation(s) were run on this bug
Requesting review from QA contact: The bug has been updated to refer to the pull request using the external bug tracker. This pull request references Jira Issue OCPBUGS-93620, which is valid. 3 validation(s) were run on this bug
Requesting review from QA contact: The bug has been updated to refer to the pull request using the external bug tracker. This pull request references Jira Issue OCPBUGS-98913, which is valid. The bug has been moved to the POST state. 3 validation(s) were run on this bug
The bug has been updated to refer to the pull request using the external bug tracker. This pull request references Jira Issue OCPBUGS-98911, which is valid. The bug has been moved to the POST state. 3 validation(s) were run on this bug
The bug has been updated to refer to the pull request using the external bug tracker. This pull request references Jira Issue OCPBUGS-98909, which is valid. The bug has been moved to the POST state. 3 validation(s) were run on this bug
The bug has been updated to refer to the pull request using the external bug tracker. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
|
/jira refresh |
|
@AkashMore08: This pull request references Jira Issue OCPBUGS-97969, which is valid. 3 validation(s) were run on this bug
Requesting review from QA contact: This pull request references Jira Issue OCPBUGS-98134, which is valid. 3 validation(s) were run on this bug
Requesting review from QA contact: This pull request references Jira Issue OCPBUGS-95514, which is valid. 3 validation(s) were run on this bug
Requesting review from QA contact: This pull request references Jira Issue OCPBUGS-93620, which is valid. 3 validation(s) were run on this bug
Requesting review from QA contact: This pull request references Jira Issue OCPBUGS-98913, which is valid. 3 validation(s) were run on this bug
This pull request references Jira Issue OCPBUGS-98911, which is valid. 3 validation(s) were run on this bug
This pull request references Jira Issue OCPBUGS-98909, which is valid. 3 validation(s) were run on this bug
DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
|
@AkashMore08: This pull request references Jira Issue OCPBUGS-97969, which is valid. 3 validation(s) were run on this bug
Requesting review from QA contact: This pull request references Jira Issue OCPBUGS-98134, which is valid. 3 validation(s) were run on this bug
Requesting review from QA contact: This pull request references Jira Issue OCPBUGS-95514, which is valid. 3 validation(s) were run on this bug
Requesting review from QA contact: This pull request references Jira Issue OCPBUGS-93620, which is valid. 3 validation(s) were run on this bug
Requesting review from QA contact: This pull request references Jira Issue OCPBUGS-98913, which is valid. 3 validation(s) were run on this bug
This pull request references Jira Issue OCPBUGS-98911, which is valid. 3 validation(s) were run on this bug
This pull request references Jira Issue OCPBUGS-98909, which is valid. 3 validation(s) were run on this bug
DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
|
PR needs rebase. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
|
/unhold |
|
/hold |
Bumps golang.org/x/crypto from v0.47.0 to v0.52.0 to remediate the below CVE.
CVE-2026-39829 (OCPBUGS-97969) — Pathological RSA/DSA parameters cause DoS
The RSA and DSA public key parsers did not enforce size limits on key parameters. A crafted public key with an excessively large modulus or DSA parameter could cause several minutes of CPU consumption during signature verification.
CVE-2026-39828 (OCPBUGS-98134) — Bypass of certificate restrictions
When an SSH server authentication callback returned PartialSuccessError with non-nil Permissions, those permissions were silently discarded, potentially dropping certificate restrictions such as force-command after a second factor succeeded.
CVE-2026-46597 (OCPBUGS-95514) — Byte arithmetic underflow and panic
An incorrectly placed cast from bytes to int allowed for server-side panic in the AES-GCM packet decoder for well-crafted inputs.
CVE-2026-39835 (OCPBUGS-93620) — Server panic during CheckHostKey/Authenticate
SSH servers which use CertChecker as a public key callback without setting IsUserAuthority or IsHostAuthority could be caused to panic by a client presenting a certificate.
CVE-2026-46595 (OCPBUGS-98913) — VerifiedPublicKeyCallback permissions skip enforcement
Source-address validation was skipped for non-public-key callbacks, an incomplete fix for CVE-2024-45337. Connections from unauthorized source IPs could be accepted.
CVE-2026-39831 (OCPBUGS-98911) — Bypass of FIDO/U2F security keys physical interaction
The Verify() method for FIDO/U2F security key types did not check the User Presence flag. Signatures generated without physical touch were accepted, allowing unattended use of a hardware security key.
CVE-2026-39830 (OCPBUGS-98909) — Client can cause server deadlock on unexpected responses
A malicious SSH peer could send unsolicited global request responses to fill an internal buffer, blocking the connection's read loop. The blocked goroutine could not be released by calling Close(), resulting in a resource leak per connection.
Impact Analysis:
linuxptp-daemon does not directly import golang.org/x/crypto/ssh. The package enters the dependency graph indirectly via github.com/google/goexpect, which imports crypto/ssh for its SpawnSSH functionality. linuxptp-daemon only uses goexpect's local process spawning (Spawn, SpawnGeneric), never SpawnSSH. govulncheck confirms no call path to any vulnerable symbol. However, we are proactively bumping golang.org/x/crypto/ssh to v0.52.0 on the main branch as a best practice to prevent any potential exposure in the future.
Changes
golang.org/x/crypto v0.47.0 → v0.52.0
Transitive bumps:
golang.org/x/sync v0.19.0 → v0.20.0
golang.org/x/net v0.49.0 → v0.54.0
golang.org/x/sys v0.40.0 → v0.45.0
golang.org/x/term v0.39.0 → v0.43.0
golang.org/x/text v0.33.0 → v0.37.0