Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Upgrade golang.org/x/crypto to version 0.0.0-20200220183623-bac4c82f6975 or higher. #451

Closed
IzhakJakov opened this issue Feb 10, 2022 · 8 comments · Fixed by #503 or newrelic/docs-website#7786
Closed

Upgrade golang.org/x/crypto to version 0.0.0-20200220183623-bac4c82f6975 or higher. #451

IzhakJakov opened this issue Feb 10, 2022 · 8 comments · Fixed by #503 or newrelic/docs-website#7786
Labels
bug good first issue Quality & UX Code Quality and User Experience

Comments

@IzhakJakov
Copy link

Description

golang.org/x/crypto is a SSH client and server

Affected versions of this package are vulnerable to Improper Signature Verification. An attacker can craft an ssh-ed25519 or [email protected] public key, such that the library will panic when trying to verify a signature with it. Clients can deliver such a public key and signature to any golang.org/x/crypto/ssh server with a PublicKeyCallback, and servers can deliver them to any golang.org/x/crypto/ssh client

Reference: https://security.snyk.io/vuln/SNYK-GOLANG-GOLANGORGXCRYPTO-1083910

Steps to Reproduce

〉git clone 'https://github.com/newrelic/go-agent'

〉cd go-agent/v3

〉ggdh 'golang.org/x/[email protected]'
             github.com/newrelic/go-agent/v3
                            ⬇
              google.golang.org/[email protected]
                            ⬇
   golang.org/x/[email protected]
                            ⬇
  golang.org/x/[email protected]

Expected Behavior

〉git clone 'https://github.com/newrelic/go-agent'

〉cd go-agent/v3

〉ggdh 'golang.org/x/[email protected]'
"golang.org/x/[email protected]" is not a dependency of this package.
@IzhakJakov IzhakJakov added the bug label Feb 10, 2022
@RichVanderwal
Copy link
Contributor

Thanks for submitting this issue, @IzhakJakov ! Thanks to your write-up its clear that this has something to do with the version of our gRPC dependency. We'll put this into our planning process.

@IzhakJakov
Copy link
Author

Thank you.

@IzhakJakov
Copy link
Author

What is the expected completion date for this issue?

@iamemilio
Copy link
Contributor

iamemilio commented May 17, 2022
edited
Loading

Thanks for following up, we are short staffed right now, so this fell off the radar. I don't think its going to make this upcoming release, but it will definitely make the next one.

@iamemilio
Copy link
Contributor

iamemilio commented May 17, 2022
edited
Loading

We will try to get this out ASAP in a micro release

@IzhakJakov
Copy link
Author

Sounds good. Thank you!

@iamemilio iamemilio added good first issue Quality & UX Code Quality and User Experience labels May 23, 2022
@nr-swilloughby
Copy link
Contributor

It seems this comes from the older version of grpc we have in our go.mod files. Moving grpc up to v1.39.0 updates the indirect dependency on x/net and x/crypto such that it depends on x/crypto v0.0.0-20200622213623-75b288015ac9.

This was referenced May 26, 2022
Merged
Merged
@nr-swilloughby nr-swilloughby mentioned this issue May 26, 2022
Merged
@IzhakJakov
Copy link
Author

Thanks for taking care of this :)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug good first issue Quality & UX Code Quality and User Experience
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Release v3.16.1 newrelic/go-agent
release 3.16.1 nr-swilloughby/docs-website
4 participants
@iamemilio @RichVanderwal @IzhakJakov @nr-swilloughby