Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Issue #4263 - Fix CVE-2025-22869 vulnerability #4264

Merged
merged 1 commit into from
Feb 28, 2025
Merged

Issue #4263 - Fix CVE-2025-22869 vulnerability #4264

merged 1 commit into from
Feb 28, 2025

Conversation

omordyk
Copy link
Contributor

@omordyk omordyk commented Feb 28, 2025
edited by LiilyZhang
Loading

Description

golang.org/x/crypto-v0.31.0
SSH servers which implement file transfer protocols are vulnerable to a denial of service attack from clients which complete the key exchange slowly, or not at all, causing pending content to be read into memory, but never transmitted.

CVE-2025-22869

Fix:

Upgrade to version v0.35.0

The reported vulnerability was not checked for vulnerability effectiveness and is suggested to be examined using Effective Usage Analysis.

Fixes #4263

Type of change

Please delete options that are not relevant.

  • Bug fix (non-breaking change which fixes an issue)

How Has This Been Tested?

make && make test
Screenshot 2025-02-28 at 09 01 05

Screenshot 2025-02-28 at 09 02 58

Checklist:

  • My code follows the style guidelines of this project
  • I have performed a self-review of my own code
  • I have commented my code, particularly in hard-to-understand areas
  • I have made corresponding changes to the documentation
  • My changes generate no new warnings
  • I have added tests that prove my fix is effective or that my feature works
  • New and existing unit tests pass locally with my changes
  • Any dependent changes have been merged and published in downstream modules
  • I have checked my code and corrected any misspellings
  • I have tagged the reviewers in a comment below incase my pull request is ready for a review
  • I have signed the commit message to agree to Developer Certificate of Origin (DCO) (to certify that you wrote or otherwise have the right to submit your contribution to the project.) by adding "--signoff" to my git commit command.

@omordyk
Copy link
Contributor Author

omordyk commented Feb 28, 2025

@LiilyZhang @kroczi pls review

bencourliss
bencourliss requested changes Feb 28, 2025
View reviewed changes
Copy link
Member

@bencourliss bencourliss left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I believe you'll need to update the GitHub Action as well to compile with the new version. See

anax/.github/workflows/build-push.yml

Line 151 in 6534651

go-version: '1.21'

@omordyk omordyk requested a review from bencourliss February 28, 2025 14:20
@omordyk
Copy link
Contributor Author

omordyk commented Feb 28, 2025

I believe you'll need to update the GitHub Action as well to compile with the new version. See

anax/.github/workflows/build-push.yml

Line 151 in 6534651

go-version: '1.21'

Fixed. Thanks

bencourliss
bencourliss approved these changes Feb 28, 2025
View reviewed changes
Copy link
Member

@bencourliss bencourliss left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good catch on the other GHA that needed updating. LGTM.

@LiilyZhang LiilyZhang merged commit 1080f74 into open-horizon:master Feb 28, 2025
3 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@bencourliss bencourliss bencourliss approved these changes

@LiilyZhang LiilyZhang LiilyZhang approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Vulnerability CVE-2025-22869
3 participants
@omordyk @bencourliss @LiilyZhang