Skip to content

[Snyk] Security upgrade ubuntu from trusty to trusty-20190425#10

Open
adamlaska wants to merge 1 commit into
mainfrom
snyk-fix-37cdf9eacc3b08ea77fbd70ba0867b2f
Open

[Snyk] Security upgrade ubuntu from trusty to trusty-20190425#10
adamlaska wants to merge 1 commit into
mainfrom
snyk-fix-37cdf9eacc3b08ea77fbd70ba0867b2f

Conversation

@adamlaska

@adamlaska adamlaska commented Nov 18, 2024

Copy link
Copy Markdown
Owner

snyk-top-banner

Snyk has created this PR to fix 5 vulnerabilities in the dockerfile dependencies of this project.

Keeping your Docker base image up-to-date means you’ll benefit from security fixes in the latest version of your chosen image.

Snyk changed the following file(s):

  • vendor/golang.org/x/net/http2/Dockerfile

We recommend upgrading to ubuntu:trusty-20190425, as this image has only 356 known vulnerabilities. To do this, merge this pull request, then verify your application still works as expected.

Vulnerabilities that will be fixed with an upgrade:

Issue Score
high severity Off-by-one Error
SNYK-UBUNTU1404-SUDO-1065770		   829  
medium severity Improper Privilege Management
SNYK-UBUNTU1404-SUDO-3234995		   686  
medium severity Improper Handling of Exceptional Conditions
SNYK-UBUNTU1404-SUDO-473059		   686  
high severity Loop with Unreachable Exit Condition ('Infinite Loop')
SNYK-UBUNTU1404-OPENSSL-2426359		   614  
high severity Access of Resource Using Incompatible Type ('Type Confusion')
SNYK-UBUNTU1404-OPENSSL-3314800		   614  

Important

  • Check the changes in this PR to ensure they won't cause issues with your project.
  • Max score is 1000. Note that the real score may have changed since the PR was raised.
  • This PR was automatically created by Snyk using the credentials of a real user.

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Improper Privilege Management
🦉 Access of Resource Using Incompatible Type ('Type Confusion')

@google-cla

google-cla Bot commented Nov 18, 2024

Copy link
Copy Markdown

Thanks for your pull request! It looks like this may be your first contribution to a Google open source project. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA).

View this failed invocation of the CLA check for more information.

For the most up to date status, view the checks section at the bottom of the pull request.

pull Bot pushed a commit that referenced this pull request Jun 16, 2026
@thaJeztah
vendor: golang.org/x/crypto v0.53.0
9838a32 
golang.org/x/crypto v0.52.0 contains various security updates; those
do NOT impact containerd, but may show up as vulnerability in scanners;

    === Symbol Results ===

    No vulnerabilities found.

    === Package Results ===

    No other vulnerabilities found.

    === Module Results ===

    Vulnerability #1: GO-2026-5033
        Invoking pathological inputs can lead to client panic in
        golang.org/x/crypto/ssh/agent
      More info: https://pkg.go.dev/vuln/GO-2026-5033
      Module: golang.org/x/crypto
        Found in: golang.org/x/crypto@v0.51.0
        Fixed in: golang.org/x/crypto@v0.52.0

    Vulnerability #2: GO-2026-5023
        Invoking VerifiedPublicKeyCallback permissions skip enforcement in
        golang.org/x/crypto/ssh
      More info: https://pkg.go.dev/vuln/GO-2026-5023
      Module: golang.org/x/crypto
        Found in: golang.org/x/crypto@v0.51.0
        Fixed in: golang.org/x/crypto@v0.52.0

    Vulnerability #3: GO-2026-5021
        Invoking auth bypass via unenforced @Revoked status in
        golang.org/x/crypto/ssh/knownhosts
      More info: https://pkg.go.dev/vuln/GO-2026-5021
      Module: golang.org/x/crypto
        Found in: golang.org/x/crypto@v0.51.0
        Fixed in: golang.org/x/crypto@v0.52.0

    Vulnerability #4: GO-2026-5020
        Invoking infinite loop on large channel writes in golang.org/x/crypto/ssh
      More info: https://pkg.go.dev/vuln/GO-2026-5020
      Module: golang.org/x/crypto
        Found in: golang.org/x/crypto@v0.51.0
        Fixed in: golang.org/x/crypto@v0.52.0

    Vulnerability #5: GO-2026-5019
        Invoking bypass of FIDO/U2F security keys physical interaction in
        golang.org/x/crypto/ssh
      More info: https://pkg.go.dev/vuln/GO-2026-5019
      Module: golang.org/x/crypto
        Found in: golang.org/x/crypto@v0.51.0
        Fixed in: golang.org/x/crypto@v0.52.0

    Vulnerability #6: GO-2026-5018
        Invoking pathological RSA/DSA parameters may cause DoS in
        golang.org/x/crypto/ssh
      More info: https://pkg.go.dev/vuln/GO-2026-5018
      Module: golang.org/x/crypto
        Found in: golang.org/x/crypto@v0.51.0
        Fixed in: golang.org/x/crypto@v0.52.0

    Vulnerability #7: GO-2026-5017
        Invoking client can cause server deadlock on unexpected responses in
        golang.org/x/crypto/ssh
      More info: https://pkg.go.dev/vuln/GO-2026-5017
      Module: golang.org/x/crypto
        Found in: golang.org/x/crypto@v0.51.0
        Fixed in: golang.org/x/crypto@v0.52.0

    Vulnerability #8: GO-2026-5016
        Invoking memory leak when rejecting channels can lead to DoS in
        golang.org/x/crypto/ssh
      More info: https://pkg.go.dev/vuln/GO-2026-5016
      Module: golang.org/x/crypto
        Found in: golang.org/x/crypto@v0.51.0
        Fixed in: golang.org/x/crypto@v0.52.0

    Vulnerability #9: GO-2026-5015
        Invoking server panic during CheckHostKey/Authenticate in
        golang.org/x/crypto/ssh
      More info: https://pkg.go.dev/vuln/GO-2026-5015
      Module: golang.org/x/crypto
        Found in: golang.org/x/crypto@v0.51.0
        Fixed in: golang.org/x/crypto@v0.52.0

    Vulnerability #10: GO-2026-5014
        Invoking bypass of certificate restrictions in golang.org/x/crypto/ssh
      More info: https://pkg.go.dev/vuln/GO-2026-5014
      Module: golang.org/x/crypto
        Found in: golang.org/x/crypto@v0.51.0
        Fixed in: golang.org/x/crypto@v0.52.0

    Vulnerability #11: GO-2026-5013
        Invoking byte arithmetic causes underflow and panic in
        golang.org/x/crypto/ssh
      More info: https://pkg.go.dev/vuln/GO-2026-5013
      Module: golang.org/x/crypto
        Found in: golang.org/x/crypto@v0.51.0
        Fixed in: golang.org/x/crypto@v0.52.0

    Vulnerability #12: GO-2026-5006
        Invoking agent constraints dropped when forwarding keys in
        golang.org/x/crypto/ssh/agent
      More info: https://pkg.go.dev/vuln/GO-2026-5006
      Module: golang.org/x/crypto
        Found in: golang.org/x/crypto@v0.51.0
        Fixed in: golang.org/x/crypto@v0.52.0

    Vulnerability #13: GO-2026-5005
        Invoking key constraints not enforced in golang.org/x/crypto/ssh/agent
      More info: https://pkg.go.dev/vuln/GO-2026-5005
      Module: golang.org/x/crypto
        Found in: golang.org/x/crypto@v0.51.0
        Fixed in: golang.org/x/crypto@v0.52.0

    Your code is affected by 0 vulnerabilities.
    This scan also found 0 vulnerabilities in packages you import and 13
    vulnerabilities in modules you require, but your code doesn't appear to call
    these vulnerabilities.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

do-not-merge

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@adamlaska @snyk-bot