Skip to content

fix(cve): CVE-2026-39828, CVE-2026-39829, CVE-2026-39830 - update golang.org/x/crypto to v0.52.0 [release-v0.37.6]#2909

Open
divyansh42 wants to merge 5 commits into
release-v0.37.xfrom
fix/SRVKP-12454-SRVKP-12456-CVE-2026-39828-CVE-2026-39829-xcrypto-release-v0.37.6-attempt-1
Open

fix(cve): CVE-2026-39828, CVE-2026-39829, CVE-2026-39830 - update golang.org/x/crypto to v0.52.0 [release-v0.37.6]#2909
divyansh42 wants to merge 5 commits into
release-v0.37.xfrom
fix/SRVKP-12454-SRVKP-12456-CVE-2026-39828-CVE-2026-39829-xcrypto-release-v0.37.6-attempt-1

Conversation

@divyansh42

@divyansh42 divyansh42 commented Jun 18, 2026

Copy link
Copy Markdown
Member

CVE Details

CVE Severity Description Fixed Version
CVE-2026-39828 (GO-2026-5014) High Unauthorized command execution via discarded SSH permissions in golang.org/x/crypto/ssh v0.52.0
CVE-2026-39829 (GO-2026-5018) High DoS via crafted public key with excessive parameters in golang.org/x/crypto/ssh v0.52.0
CVE-2026-39830 (GO-2026-5017) High DoS via resource leak from unsolicited SSH responses in golang.org/x/crypto/ssh v0.52.0

Jira: SRVKP-12454, SRVKP-12456, SRVKP-12481

Fix Summary

Test Results ✅

Command: go test -mod=vendor -count=1 ./...
Status: PASSED

Breaking Changes

No breaking changes. Indirect dependency bump only.

Verification Steps

  • Review go.mod and go.sum for golang.org/x/crypto v0.52.0
  • Confirm CI passes
  • Merge after CI green

Risk Assessment

Low — Indirect dependency bump, no CLI API changes, all tests pass.


Updated by CVE Fixer automation — added CVE-2026-39830 (SRVKP-12481) coverage.

divyansh42 and others added 4 commits April 24, 2026 08:36
Signed-off-by: divyansh42 <diagrawa@redhat.com>
Signed-off-by: Shubham Bhardwaj <shubbhar@redhat.com>
Signed-off-by: divyansh42 <diagrawa@redhat.com>
…1.25.8 to 1.25.9

Signed-off-by: divyansh42 <diagrawa@redhat.com>
@tekton-robot tekton-robot added the do-not-merge/release-note-label-needed Indicates that a PR should not merge because it's missing one of the release note labels. label Jun 18, 2026
@linux-foundation-easycla

linux-foundation-easycla Bot commented Jun 18, 2026

Copy link
Copy Markdown

CLA Signed
The committers listed above are authorized under a signed CLA.

  • ✅ login: divyansh42 / name: Divyanshu Agrawal (b9d7586)

@tekton-robot tekton-robot added the size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files. label Jun 18, 2026
@divyansh42 divyansh42 changed the title fix(cve): CVE-2026-39828, CVE-2026-39829 - update golang.org/x/crypto to v0.52.0 [pipelines-1.15] fix(cve): CVE-2026-39828, CVE-2026-39829, CVE-2026-39830 - update golang.org/x/crypto to v0.52.0 [pipelines-1.15] Jun 19, 2026
@pratap0007

Copy link
Copy Markdown
Contributor

/retest

@divyansh42

Copy link
Copy Markdown
Member Author

/hold

@tekton-robot tekton-robot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Jun 22, 2026
@divyansh42 divyansh42 changed the title fix(cve): CVE-2026-39828, CVE-2026-39829, CVE-2026-39830 - update golang.org/x/crypto to v0.52.0 [pipelines-1.15] fix(cve): CVE-2026-39828, CVE-2026-39829, CVE-2026-39830 - update golang.org/x/crypto to v0.52.0 [release-v0.37.6] Jul 2, 2026
@divyansh42 divyansh42 added the release-note-none Denotes a PR that doesnt merit a release note. label Jul 2, 2026
@tekton-robot tekton-robot removed the do-not-merge/release-note-label-needed Indicates that a PR should not merge because it's missing one of the release note labels. label Jul 2, 2026
@divyansh42

Copy link
Copy Markdown
Member Author

/retest

@divyansh42

Copy link
Copy Markdown
Member Author

/hold cancel

@tekton-robot tekton-robot removed the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Jul 2, 2026
@divyansh42 divyansh42 force-pushed the fix/SRVKP-12454-SRVKP-12456-CVE-2026-39828-CVE-2026-39829-xcrypto-release-v0.37.6-attempt-1 branch 3 times, most recently from 7180558 to 25f8843 Compare July 3, 2026 12:46
@divyansh42 divyansh42 changed the base branch from release-v0.37.6 to release-v0.37.x July 3, 2026 12:47
- Update golang.org/x/crypto from v0.46.0 to v0.52.0
- Addresses CVE-2026-39828: Unauthorized command execution via discarded
  SSH permissions in golang.org/x/crypto/ssh (GO-2026-5014)
- Addresses CVE-2026-39829: DoS via crafted public key with excessive
  parameters in golang.org/x/crypto/ssh (GO-2026-5018)
- Also picks up fixes for related x/crypto/ssh vulnerabilities in v0.52.0
- Run go mod tidy, go mod verify, go mod vendor; all tests pass

Resolves: SRVKP-12454, SRVKP-12456

Co-Assisted-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Signed-off-by: Divyanshu Agrawal <diagrawa@redhat.com>
@divyansh42 divyansh42 force-pushed the fix/SRVKP-12454-SRVKP-12456-CVE-2026-39828-CVE-2026-39829-xcrypto-release-v0.37.6-attempt-1 branch from 25f8843 to 013169e Compare July 3, 2026 12:50
@tekton-robot

Copy link
Copy Markdown
Contributor

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
To complete the pull request process, please assign vdemeester after the PR has been reviewed.
You can assign the PR to them by writing /assign @vdemeester in a comment when ready.

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@divyansh42

Copy link
Copy Markdown
Member Author

/retest

@divyansh42

Copy link
Copy Markdown
Member Author

/hold
PR need to be rebased

@tekton-robot tekton-robot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Jul 6, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. release-note-none Denotes a PR that doesnt merit a release note. size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants