Skip to content

[v5.8] Update golang.org/x/crypto to v0.52.0 for CVE-2026-39830#28971

Merged
Luap99 merged 1 commit into
podman-container-tools:v5.8from
lsm5:v5.8-cve-fix
Jun 23, 2026
Merged

[v5.8] Update golang.org/x/crypto to v0.52.0 for CVE-2026-39830#28971
Luap99 merged 1 commit into
podman-container-tools:v5.8from
lsm5:v5.8-cve-fix

Conversation

@lsm5

@lsm5 lsm5 commented Jun 18, 2026

Copy link
Copy Markdown
Contributor

References:

Checklist

Ensure you have completed the following checklist for your pull request to be reviewed:

  • Certify you wrote the patch or otherwise have the right to pass it on as an open-source patch by signing all
    commits. (git commit -s). (If needed, use git commit -s --amend). The author email must match
    the sign-off email address. See CONTRIBUTING.md
    for more information.
  • Referenced issues using Fixes: #00000 in commit message (if applicable)
  • Tests have been added/updated (or no tests are needed)
  • Documentation has been updated (or no documentation changes are needed)
  • All commits pass make validatepr (format/lint checks)
  • Release note entered in the section below (or None if no user-facing changes)

Does this PR introduce a user-facing change?

None

Luap99
Luap99 approved these changes Jun 19, 2026
View reviewed changes

@Luap99 Luap99 left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@lsm5 lsm5 marked this pull request as ready for review June 19, 2026 14:21
@lsm5

lsm5 commented Jun 19, 2026

Copy link
Copy Markdown
Contributor Author

ugh, rawhide jobs should be removed from the packit config. Will do that in a followup.

@podman-container-tools/podman-maintainers PTAL

@lsm5

lsm5 commented Jun 19, 2026

Copy link
Copy Markdown
Contributor Author

ugh, rawhide jobs should be removed from the packit config. Will do that in a followup.

#28987

@TomSweeneyRedHat

TomSweeneyRedHat commented Jun 22, 2026

Copy link
Copy Markdown
Contributor

golang.org/x/crypto v0.53.0 also fixes CVE-2026-42508. Can you do a two for one deal here and bump up another Y?

@lsm5
Update golang.org/x/crypto to v0.53.0 for CVE-2026-39830 and CVE-2026…
5eed4f1 
…-42508

CVE-2026-39830: Invoking client can cause server deadlock on
unexpected responses in golang.org/x/crypto/ssh

CVE-2026-42508: Revoked SignatureKey not correctly checked for
revocation in golang.org/x/crypto/ssh/knownhosts

Update golang.org/x/crypto from v0.50.0 to v0.53.0.

References:
- https://pkg.go.dev/vuln/GO-2026-5017
- https://pkg.go.dev/vuln/GO-2026-5021
- https://go.dev/issue/79564
- https://go.dev/issue/79568

Signed-off-by: Lokesh Mandvekar <lsm5@linux.com>
@ashley-cui

ashley-cui commented Jun 23, 2026

Copy link
Copy Markdown
Contributor

LGTM, restarted some tests.

@Luap99 Luap99 merged commit b00f4f7 into podman-container-tools:v5.8 Jun 23, 2026
114 of 119 checks passed
@lsm5 lsm5 deleted the v5.8-cve-fix branch June 23, 2026 17:42
@lsm5

lsm5 commented Jun 23, 2026

Copy link
Copy Markdown
Contributor Author

@TomSweeneyRedHat do we have any others for v5.8? We should get a new release out if nothing else.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Luap99 Luap99 Luap99 approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@lsm5 @TomSweeneyRedHat @ashley-cui @Luap99