[Security][CVE-2025-47914][CVE-2025-58181] Bump golang.org/x/crypto from 0.43.0 to 0.45.0 (!162) · Merge requests · sue445 / create-merge-request

Bumps golang.org/x/crypto from 0.43.0 to 0.45.0. This update includes security fixes.

Vulnerabilities fixed

golang.org/x/crypto/ssh/agent vulnerable to panic if message is malformed due to out of bounds read
SSH Agent servers do not validate the size of messages when processing new identity requests, which may cause the program to panic if the message is malformed due to an out of bounds read.

Patched versions: 0.45.0
Affected versions: < 0.45.0

golang.org/x/crypto/ssh allows an attacker to cause unbounded memory consumption
SSH servers parsing GSSAPI authentication requests do not validate the number of mechanisms specified in the request, allowing an attacker to cause unbounded memory consumption.

Patched versions: 0.45.0
Affected versions: < 0.45.0

Commits

4e0068c go.mod: update golang.org/x dependencies
e79546e ssh: curb GSSAPI DoS risk by limiting number of specified OIDs
f91f7a7 ssh/agent: prevent panic on malformed constraint
2df4153 acme/autocert: let automatic renewal work with short lifetime certs
bcf6a84 acme: pass context to request
b4f2b62 ssh: fix error message on unsupported cipher
79ec3a5 ssh: allow to bind to a hostname in remote forwarding
122a78f go.mod: update golang.org/x dependencies
c0531f9 all: eliminate vet diagnostics
0997000 all: fix some comments
Additional commits viewable in compare view

[Security][CVE-2025-47914][CVE-2025-58181] Bump golang.org/x/crypto from 0.43.0 to 0.45.0

Merge request reports