You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
fix(deps): update module golang.org/x/crypto to v0.31.0 [security] (#4502)
This PR contains the following updates:
| Package | Change | Age | Adoption | Passing | Confidence |
|---|---|---|---|---|---|
| golang.org/x/crypto | `v0.27.0` -> `v0.31.0` |
[](https://docs.renovatebot.com/merge-confidence/)
|
[](https://docs.renovatebot.com/merge-confidence/)
|
[](https://docs.renovatebot.com/merge-confidence/)
|
[](https://docs.renovatebot.com/merge-confidence/)
|
### GitHub Vulnerability Alerts
####
[CVE-2024-45337](https://redirect.github.com/golang/crypto/commit/b4f1988a35dee11ec3e05d6bf3e90b695fbd8909)
Applications and libraries which misuse the
ServerConfig.PublicKeyCallback callback may be susceptible to an
authorization bypass.
The documentation for ServerConfig.PublicKeyCallback says that "A call
to this function does not guarantee that the key offered is in fact used
to authenticate." Specifically, the SSH protocol allows clients to
inquire about whether a public key is acceptable before proving control
of the corresponding private key. PublicKeyCallback may be called with
multiple keys, and the order in which the keys were provided cannot be
used to infer which key the client successfully authenticated with, if
any. Some applications, which store the key(s) passed to
PublicKeyCallback (or derived information) and make security relevant
determinations based on it once the connection is established, may make
incorrect assumptions.
For example, an attacker may send public keys A and B, and then
authenticate with A. PublicKeyCallback would be called only twice, first
with A and then with B. A vulnerable application may then make
authorization decisions based on key B for which the attacker does not
actually control the private key.
Since this API is widely misused, as a partial mitigation
golang.org/x/cry...@​v0.31.0 enforces the property that, when
successfully authenticating via public key, the last key passed to
ServerConfig.PublicKeyCallback will be the key used to authenticate the
connection. PublicKeyCallback will now be called multiple times with the
same key, if necessary. Note that the client may still not control the
last key passed to PublicKeyCallback if the connection is then
authenticated with a different method, such as PasswordCallback,
KeyboardInteractiveCallback, or NoClientAuth.
Users should be using the Extensions field of the Permissions return
value from the various authentication callbacks to record data
associated with the authentication attempt instead of referencing
external state. Once the connection is established the state
corresponding to the successful authentication attempt can be retrieved
via the ServerConn.Permissions field. Note that some third-party
libraries misuse the Permissions type by sharing it across
authentication attempts; users of third-party libraries should refer to
the relevant projects for guidance.
---
### Configuration
📅 **Schedule**: Branch creation - "" in timezone Europe/Paris, Automerge
- At any time (no schedule defined).
🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.
♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.
🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.
---
- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box
---
This PR was generated by [Mend Renovate](https://mend.io/renovate/).
View the [repository job
log](https://developer.mend.io/github/cozy/cozy-stack).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzOS41OC4xIiwidXBkYXRlZEluVmVyIjoiMzkuNTguMSIsInRhcmdldEJyYW5jaCI6Im1hc3RlciIsImxhYmVscyI6W119-->
0 commit comments