Bump Go to 1.25 and x/crypto to v0.52.0, x/net to v0.55.0 (8 CVEs)#625
Merged
Conversation
Patches 8 critical CVEs: - 7 in golang.org/x/crypto/ssh (GO-2026-5020, 5023, 5006, 5017, 5019, 5021, 5005) via x/crypto v0.52.0 - 1 in golang.org/x/net/idna (GO-2026-5026) via x/net v0.55.0 x/crypto v0.52.0 requires Go 1.25.0, so the module's go directive is raised from 1.24 to 1.25.0. Downstream projects that import opslevel-go must now be built with Go 1.25.0 or newer. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Contributor
Author
|
In addition to CI, did a quick smoke test on listing users against this branch w/ no issues client := opslevel.NewGQLClient(opslevel.SetAPIToken(token))
users, err := client.ListUsers(nil)
|
andrewstillv15
approved these changes
Jul 8, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR raises the minimum Go version and patches eight critical CVEs across
golang.org/x/crypto/sshandgolang.org/x/net/idna.Downstream projects that import
opslevel-gomust now be built with Go 1.25.0 or newer (up from 1.24). This is becausegolang.org/x/cryptov0.52.0 setsgo 1.25.0as its minimum in its owngo.mod, and Go picks the highestgodirective across the module graph.CI reads the Go version from
go.mod(go-version-file: 'go.mod'in every workflow), so no workflow changes are needed for this repo.Go requirement
go.modgodirective:1.24→1.25.0toolchain go1.24.1line removed (implied by the new directive)Dependency bumps
golang.org/x/crypto0.41.0 → 0.52.0Commit history between tags: golang/crypto@v0.41.0...v0.52.0
Patches 7 critical CVEs, all in
golang.org/x/crypto/ssh:Writecall on an SSH channel, an integer overflow in the internal payload size calculation caused the write loop to spin indefinitely, sending empty packets without making progress. The size comparison now usesint64to prevent truncation.restrict-destination-v00@openssh.comwere not serialized in the request. Destination restrictions were silently stripped when forwarding keys, allowing unrestricted use of the key on the remote host. The client now serializes all constraint extensions. Additionally, the in-memory keyring returned byNewKeyring()now rejects keys with unsupported constraint extensions instead of silently ignoring them.Close(), resulting in a resource leak per connection. Unsolicited global responses are now discarded.Verify()method for FIDO/U2F security key types (sk-ecdsa-sha2-nistp256@openssh.com,sk-ssh-ed25519@openssh.com) did not check the User Presence flag. Signatures generated without physical touch were accepted, allowing unattended use of a hardware security key. To restore the previous behavior, return ano-touch-requiredextension inPermissions.ExtensionsfromPublicKeyCallback.SignatureKeybelonging to a CA was not correctly checked for revocation. Now, both thekeyandkey.SignatureKeyare checked for@revoked.NewKeyring()silently accepted keys with theConfirmBeforeUseconstraint but never enforced it. The key would sign without any confirmation prompt, with no indication to the caller that the constraint was not in effect.NewKeyring()now returns an error when unsupported constraints are requested.golang.org/x/net0.43.0 → 0.55.0Commit history between tags: golang/net@v0.43.0...v0.55.0
Patches 1 critical CVE in
golang.org/x/net/idna:ToASCIIandToUnicodefunctions incorrectly accept Punycode-encoded labels that decode to an ASCII-only label. For example,ToUnicode("xn--example-.com")incorrectly returned the nameexample.com, potentially bypassing name-based allowlists or masking the true label. This can lead to privilege escalation in programs performing checks on the ASCII hostname.Other changes
go mod tidyalso pulled these siblinggolang.org/x/*modules forward:golang.org/x/modv0.26.0 → v0.35.0golang.org/x/syncv0.16.0 → v0.20.0golang.org/x/sysv0.35.0 → v0.45.0golang.org/x/termv0.34.0 → v0.43.0golang.org/x/textv0.28.0 → v0.37.0golang.org/x/toolsv0.35.0 → v0.44.0golang.org/x/tools/go/expectandgolang.org/x/tools/go/packages/packagestestas indirect deps (transitively-required test tooling)gopkg.in/check.v1entry🤖 Generated with Claude Code