Skip to content

[release-v0.42.x] Security: Fix CVE-2026-39835 - upgrade golang.org/x/crypto to v0.52.0 #3006

Open
divyansh42 wants to merge 1 commit into
release-v0.42.xfrom
fix/SRVKP-12617-cve-2026-39835-crypto-release-v0.42.x-attempt-1
Open

[release-v0.42.x] Security: Fix CVE-2026-39835 - upgrade golang.org/x/crypto to v0.52.0 #3006
divyansh42 wants to merge 1 commit into
release-v0.42.xfrom
fix/SRVKP-12617-cve-2026-39835-crypto-release-v0.42.x-attempt-1

Conversation

@divyansh42

Copy link
Copy Markdown
Member

Summary

This PR fixes CVE-2026-39835 by upgrading golang.org/x/crypto from v0.47.0 to v0.52.0.

CVE Details

  • CVE-2026-39835 (GO-2026-5015, GHSA-78mq-xcr3-xm33): golang.org/x/crypto/ssh — Denial of Service via crafted SSH certificate
    • Vulnerable versions: < v0.52.0
    • Fixed version: v0.52.0
    • Jira: SRVKP-12617

Changes

  • Upgraded golang.org/x/crypto v0.47.0 → v0.52.0
  • Transitive upgrades: x/net v0.49.0→v0.54.0, x/sys, x/text, x/tools, x/sync, x/mod, x/term

Vulnerability Scan

  • Tool: govulncheck v1.5.0 (go1.25.9)
  • Note: CVE was identified via OSV/GHSA advisory (GO-2026-5015). The package has been upgraded to the advisory fixed version.

Test Results

Status: ✅ All tests passed (42 packages OK)

Jira References

SRVKP-12617

Testing Checklist

  • Pre-PR automated tests executed (42/42 packages passed)
  • go mod tidy && go mod verify && go mod vendor passed
  • Verify CVE is resolved with security scan post-merge

Risk Assessment

Low — indirect dependency upgrade with no breaking API changes. All unit tests pass.


🤖 Generated by CVE Fixer Workflow

Security fix: upgrade golang.org/x/crypto from v0.47.0 to v0.52.0 to address CVE-2026-39835

- Upgrade golang.org/x/crypto from v0.47.0 to v0.52.0
- Addresses Denial of Service via crafted SSH certificate in golang.org/x/crypto/ssh
- Transitive upgrades: x/net v0.49.0→v0.54.0, x/sys, x/text, x/tools, x/sync, x/mod, x/term
- All 42 unit test packages pass

Jira: SRVKP-12617

Co-Assisted-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@tekton-robot tekton-robot added the release-note Denotes a PR that will be considered when it comes time to generate release notes. label Jul 7, 2026
@tekton-robot tekton-robot added the size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files. label Jul 7, 2026
@pratap0007

Copy link
Copy Markdown
Contributor

/lgtm
/approve

@tekton-robot tekton-robot added the lgtm Indicates that a PR is ready to be merged. label Jul 7, 2026
@tekton-robot

Copy link
Copy Markdown
Contributor

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: pratap0007
To complete the pull request process, please assign pradeepitm12 after the PR has been reviewed.
You can assign the PR to them by writing /assign @pradeepitm12 in a comment when ready.

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@divyansh42 divyansh42 changed the title Security: Fix CVE-2026-39835 - upgrade golang.org/x/crypto to v0.52.0 (SRVKP-12617) Security: Fix CVE-2026-39835 - upgrade golang.org/x/crypto to v0.52.0 Jul 8, 2026
@divyansh42 divyansh42 changed the title Security: Fix CVE-2026-39835 - upgrade golang.org/x/crypto to v0.52.0 [release-v0.4.2.x] Security: Fix CVE-2026-39835 - upgrade golang.org/x/crypto to v0.52.0 Jul 8, 2026
@divyansh42 divyansh42 changed the title [release-v0.4.2.x] Security: Fix CVE-2026-39835 - upgrade golang.org/x/crypto to v0.52.0 [release-v0.42.x] Security: Fix CVE-2026-39835 - upgrade golang.org/x/crypto to v0.52.0 Jul 8, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

lgtm Indicates that a PR is ready to be merged. release-note Denotes a PR that will be considered when it comes time to generate release notes. size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants