Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Updated the crypto dependancy to force it to use latest #387

Merged
merged 1 commit into from
Dec 15, 2021
Merged

Updated the crypto dependancy to force it to use latest #387

merged 1 commit into from
Dec 15, 2021

Conversation

chrisharrisonkiwi
Copy link
Contributor

Updated the dependency golang.org/x/crypto to force it to use the latest version.
This will remove the 2021 security concern brought up by Mitre:
CVE-2020-9283

Also reported by the team at Snyk:
https://security.snyk.io/vuln/SNYK-GOLANG-GOLANGORGXCRYPTOSSH-551923

chrisharrisonkiwi - updated the crypto dependancy to force it to use …
cc6b941 
…the latest version (removing the security concern brought up by third parties)
@chrisharrisonkiwi chrisharrisonkiwi mentioned this pull request Dec 15, 2021
Closed
@rs rs merged commit 791ca15 into rs:master Dec 15, 2021
@chrisharrisonkiwi
Copy link
Contributor Author

chrisharrisonkiwi commented Dec 16, 2021
edited
Loading

@rs
Thanks for the quick merge!
Any chance we can get a new tag to pull the update?

@chrisharrisonkiwi
Copy link
Contributor Author

Thanks!

@chrisharrisonkiwi chrisharrisonkiwi mentioned this pull request Dec 16, 2021
Closed
@drakkan
Copy link
Contributor

drakkan commented Dec 16, 2021
edited
Loading

Hi,

do you have any particular reason to update the crypto dependency to the following branch

https://github.com/golang/crypto/commits/internal-branch.go1.17-vendor

instead of the master branch?

https://github.com/golang/crypto/commits/master

This patch, for example, seems not included in internal-branch.go1.17-vendor

@chrisharrisonkiwi
Copy link
Contributor Author

chrisharrisonkiwi commented Dec 16, 2021
edited
Loading

@drakkan
I didn't realise the update had shifted the crypto branch off of master.
If the latest master branch fixes the security issue, more than happy for it to be updated 👍

@drakkan drakkan mentioned this pull request Dec 16, 2021
Merged
@drakkan
Copy link
Contributor

drakkan commented Dec 16, 2021

@chrisharrisonkiwi I'm not sure if this would be accepted but maybe we can move the lint command to its own package and remove several dependencies from the actual library, see the referenced PR, thanks

pablitoc pushed a commit to nxcr-org/zerolog that referenced this pull request Apr 7, 2023
@chrisharrisonkiwi @pablitoc
Update the x/crypto dependency
ea3172d 
Removing the security concern brought up by third parties

Co-authored-by: Chris Harrison <[email protected]>

Fixes rs#387
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@chrisharrisonkiwi @drakkan @rs