Skip to content

fix(deps): upgrade x/crypto to v0.52.0, x/net to v0.55.0 and x/quic-go to v0.59.1 to fix CVEs#777

Open
stoktamisoglu wants to merge 2 commits into
danielpaulus:mainfrom
stoktamisoglu:fix/cve-2026-crypto-net-upgrade
Open

fix(deps): upgrade x/crypto to v0.52.0, x/net to v0.55.0 and x/quic-go to v0.59.1 to fix CVEs#777
stoktamisoglu wants to merge 2 commits into
danielpaulus:mainfrom
stoktamisoglu:fix/cve-2026-crypto-net-upgrade

Conversation

@stoktamisoglu

Copy link
Copy Markdown
Contributor

Resolves open CVEs in golang.org/x/crypto v0.24.0:

  • GHSA-v778-237x-gjrc, GO-2024-3321 (fixed in v0.31.0)
  • GO-2026-5005, GO-2026-5006, GO-2026-5017, GO-2026-5019, GO-2026-5020, GO-2026-5021, GO-2026-5023 (fixed in v0.52.0)

Resolves open CVE in golang.org/x/net v0.26.0:

  • GO-2026-5026 (fixed in v0.55.0)

The toolchain directive already pins go1.26.4 which covers all stdlib CVEs (CVE-2025-22871, CVE-2025-68121, CVE-2026-27143, GO-2025-3563, GO-2026-4337). No source changes — go.mod/go.sum only.

Resolves open CVEs in golang.org/x/crypto v0.24.0:
- GHSA-v778-237x-gjrc, GO-2024-3321 (fixed in v0.31.0)
- GO-2026-5005, GO-2026-5006, GO-2026-5017, GO-2026-5019,
  GO-2026-5020, GO-2026-5021, GO-2026-5023 (fixed in v0.52.0)

Resolves open CVE in golang.org/x/net v0.26.0:
- GO-2026-5026 (fixed in v0.55.0)

The toolchain directive already pins go1.26.4 which covers all
stdlib CVEs (CVE-2025-22871, CVE-2025-68121, CVE-2026-27143,
GO-2025-3563, GO-2026-4337). No source changes — go.mod/go.sum only.
@stoktamisoglu

stoktamisoglu commented Jun 30, 2026

Copy link
Copy Markdown
Contributor Author

Hi @danielpaulus / @shamanec , would you please review this PR which doesn't have any code change just upgrading crypto and net libraries to the versions which fixed the known CVEs? Thanks

@danielpaulus

Copy link
Copy Markdown
Owner

Hi @danielpaulus / @shamanec , would you please review this PR which doesn't have any code change just upgrading crypto and net libraries to the versions which fixed the known CVEs? Thanks

Will do tmrw, right now I am waiting for my gh action minutes to reset 😅

@stoktamisoglu stoktamisoglu changed the title fix(deps): upgrade x/crypto to v0.52.0 and x/net to v0.55.0 to fix CVEs fix(deps): upgrade x/crypto to v0.52.0, x/net to v0.55.0 and x/quic-go to v0.59.1 to fix CVEs Jul 6, 2026
@stoktamisoglu

Copy link
Copy Markdown
Contributor Author

Hi @danielpaulus , I've updated the PR with another CVE handling for quick-go.

There is one breaking API change: quic-go renamed the Connection interface to a concrete *Conn type. Fixed the two usages in [ios/tunnel/tunnel.go] forwardDataToDevice/forwardDataToInterface signatures.

@stoktamisoglu

Copy link
Copy Markdown
Contributor Author

Hi @danielpaulus , would you review these 3 CVE related library bumps at your conveniences ? Thanks in advance.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants