fix(deps): upgrade x/crypto to v0.52.0, x/net to v0.55.0 and x/quic-go to v0.59.1 to fix CVEs#777
Conversation
Resolves open CVEs in golang.org/x/crypto v0.24.0: - GHSA-v778-237x-gjrc, GO-2024-3321 (fixed in v0.31.0) - GO-2026-5005, GO-2026-5006, GO-2026-5017, GO-2026-5019, GO-2026-5020, GO-2026-5021, GO-2026-5023 (fixed in v0.52.0) Resolves open CVE in golang.org/x/net v0.26.0: - GO-2026-5026 (fixed in v0.55.0) The toolchain directive already pins go1.26.4 which covers all stdlib CVEs (CVE-2025-22871, CVE-2025-68121, CVE-2026-27143, GO-2025-3563, GO-2026-4337). No source changes — go.mod/go.sum only.
|
Hi @danielpaulus / @shamanec , would you please review this PR which doesn't have any code change just upgrading crypto and net libraries to the versions which fixed the known CVEs? Thanks |
Will do tmrw, right now I am waiting for my gh action minutes to reset 😅 |
|
Hi @danielpaulus , I've updated the PR with another CVE handling for quick-go. There is one breaking API change: quic-go renamed the Connection interface to a concrete *Conn type. Fixed the two usages in [ios/tunnel/tunnel.go] forwardDataToDevice/forwardDataToInterface signatures. |
|
Hi @danielpaulus , would you review these 3 CVE related library bumps at your conveniences ? Thanks in advance. |
Resolves open CVEs in golang.org/x/crypto v0.24.0:
Resolves open CVE in golang.org/x/net v0.26.0:
The toolchain directive already pins go1.26.4 which covers all stdlib CVEs (CVE-2025-22871, CVE-2025-68121, CVE-2026-27143, GO-2025-3563, GO-2026-4337). No source changes — go.mod/go.sum only.