fix(cve): CVE-2026-39828, CVE-2026-39829, CVE-2026-39830 - update golang.org/x/crypto to v0.52.0 [pipelines-1.20]#2908
Conversation
- Update golang.org/x/crypto from v0.47.0 to v0.52.0 - Addresses CVE-2026-39828: Unauthorized command execution via discarded SSH permissions in golang.org/x/crypto/ssh (GO-2026-5014) - Addresses CVE-2026-39829: DoS via crafted public key with excessive parameters in golang.org/x/crypto/ssh (GO-2026-5018) - Also picks up fixes for related x/crypto/ssh vulnerabilities in v0.52.0 - Run go mod tidy, go mod verify, go mod vendor; all tests pass Resolves: SRVKP-12453, SRVKP-12457 Co-Assisted-By: Claude Sonnet 4.6 <noreply@anthropic.com>
|
@divyansh42: Adding the "do-not-merge/release-note-label-needed" label because no release-note block was detected, please follow our release note process to remove it. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
tekton-robot
added
the
do-not-merge/release-note-label-needed
|
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: The full list of commands accepted by this bot can be found here. DetailsNeeds approval from an approver in each of these files:Approvers can indicate their approval by writing |
tekton-robot
added
the
size/XXL
divyansh42
changed the title
2 participants
CVE Details
Jira: SRVKP-12453, SRVKP-12457, SRVKP-12480
Fix Summary
golang.org/x/cryptofrom v0.47.0 → v0.52.0Test Results ✅
Breaking Changes
No breaking changes. Indirect dependency bump only.
Verification Steps
go.modandgo.sumforgolang.org/x/crypto v0.52.0Risk Assessment
Low — Indirect dependency bump, no CLI API changes, all tests pass.
Updated by CVE Fixer automation — added CVE-2026-39830 (SRVKP-12480) coverage.