Skip to content

[release-1.43] Bump golang.org/x/crypto to v0.53.0 for CVE-2026-39830#6929

Open
lsm5 wants to merge 1 commit into
podman-container-tools:release-1.43from
lsm5:release-1.43-cve-2026-39830
Open

[release-1.43] Bump golang.org/x/crypto to v0.53.0 for CVE-2026-39830#6929
lsm5 wants to merge 1 commit into
podman-container-tools:release-1.43from
lsm5:release-1.43-cve-2026-39830

Conversation

@lsm5

@lsm5 lsm5 commented Jun 24, 2026

Copy link
Copy Markdown
Contributor

Fixes CVE-2026-39830: SSH server deadlock vulnerability in golang.org/x/crypto/ssh where a malicious peer could send unsolicited global request responses to block the connection.

Buildah uses golang.org/x/crypto/ssh in pkg/sshagent/ for SSH agent forwarding during container builds.

What type of PR is this?

/kind other

What this PR does / why we need it:

How to verify it

Which issue(s) this PR fixes:

None

Special notes for your reviewer:

None

Does this PR introduce a user-facing change?

None

@lsm5 lsm5 added the No New Tests Allow PR to proceed without adding regression tests label Jun 24, 2026
@lsm5 lsm5 force-pushed the release-1.43-cve-2026-39830 branch from 3eb0666 to 1c9c85b Compare June 24, 2026 18:11
@lsm5 lsm5 marked this pull request as ready for review June 24, 2026 18:54
@lsm5

lsm5 commented Jun 24, 2026

Copy link
Copy Markdown
Contributor Author

@podman-container-tools/buildah-maintainers PTAL

nalind
nalind approved these changes Jun 24, 2026
View reviewed changes

@nalind nalind left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Does what it says on the tin. It means we need Go 1.25 now, though.

@Luap99

Luap99 commented Jun 24, 2026

Copy link
Copy Markdown
Member

podman-container-tools/podman#28971 did bump to v0.53.0 so I guess we should follow the same here
cc @TomSweeneyRedHat

@TomSweeneyRedHat

TomSweeneyRedHat commented Jun 24, 2026

Copy link
Copy Markdown
Contributor

@lsm5 we should go to crypto v0.53.0. I don't recall the CVE numbers, but one calls for at least 0.52, the other for 0.53.

@lsm5 lsm5 force-pushed the release-1.43-cve-2026-39830 branch from 1c9c85b to f500e43 Compare June 25, 2026 13:32
@lsm5

lsm5 commented Jun 25, 2026

Copy link
Copy Markdown
Contributor Author

@lsm5 we should go to crypto v0.53.0. I don't recall the CVE numbers, but one calls for at least 0.52, the other for 0.53.

CVE-2026-42508 doesn't actually affect buildah as ssh/knownhosts isn't vendored here. But I'm cool with updating to be consistent with podman. Rebased just now..

@packit-as-a-service

packit-as-a-service Bot commented Jun 25, 2026

Copy link
Copy Markdown

Ephemeral COPR build failed. @containers/packit-build please check.

@lsm5
Bump golang.org/x/crypto to v0.53.0
4c95ee1 
Fixes CVE-2026-39830: SSH server deadlock vulnerability in
golang.org/x/crypto/ssh where a malicious peer could send
unsolicited global request responses to block the connection.

Buildah uses golang.org/x/crypto/ssh in pkg/sshagent/ for SSH
agent forwarding during container builds.

CVE-2026-42508 doesn't actually affect buildah but let's update to
v0.53.0 to be consistent with podman.

Signed-off-by: Lokesh Mandvekar <lsm5@redhat.com>
@lsm5 lsm5 force-pushed the release-1.43-cve-2026-39830 branch from f500e43 to 4c95ee1 Compare June 25, 2026 13:42
@lsm5 lsm5 changed the title [release-1.43] Bump golang.org/x/crypto to v0.52.0 for CVE-2026-39830 [release-1.43] Bump golang.org/x/crypto to v0.53.0 for CVE-2026-39830 Jun 25, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@nalind nalind nalind approved these changes

Assignees

No one assigned

Labels

No New Tests Allow PR to proceed without adding regression tests

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@lsm5 @Luap99 @TomSweeneyRedHat @nalind