Hello gophers, We have tagged version v0.45.0 of golang.org/x/crypto in order to address two security issues.
This version fixes a vulnerability in the golang.org/x/crypto/ssh package and a vulnerability in the golang.org/x/crypto/ssh/agent package which could cause programs to consume unbounded memory or panic respectively. SSH servers parsing GSSAPI authentication requests don't validate the number of mechanisms specified in the request, allowing an attacker to cause unbounded memory consumption. Thanks to Jakub Ciolek for reporting this issue. This is CVE-2025-58181 and Go issue https://go.dev/issue/76363. SSH Agent servers do not validate the size of messages when processing new identity requests, which may cause the program to panic if the message is malformed due to an out of bounds read. Thanks to Jakub Ciolek for reporting this issue. This is CVE-2025-47914 and Go issue https://go.dev/issue/76364. Cheers, Go Security team -- You received this message because you are subscribed to the Google Groups "golang-nuts" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion visit https://groups.google.com/d/msgid/golang-nuts/CADAOFNSRp7t4UjAQC1Oa43TUdef95ob%3DAg5_F_r7kq2d6wu6%2Bg%40mail.gmail.com.
