Skip to content

fix(deps): vuln minor upgrades — 8 packages (minor: 6 · patch: 2) [historyserver]#20

Draft
gh-worker-campaigns-3e9aa4[bot] wants to merge 1 commit into
masterfrom
engraver-auto-version-upgrade/minorpatch/go/historyserver/0-1783387047
Draft

fix(deps): vuln minor upgrades — 8 packages (minor: 6 · patch: 2) [historyserver]#20
gh-worker-campaigns-3e9aa4[bot] wants to merge 1 commit into
masterfrom
engraver-auto-version-upgrade/minorpatch/go/historyserver/0-1783387047

Conversation

@gh-worker-campaigns-3e9aa4

Copy link
Copy Markdown

Summary: Critical-severity security update — 8 packages upgraded (MINOR changes included)

Manifests changed:

  • historyserver (go)

✅ Action Required: Please review the changes below. If they look good, approve and merge this PR.


Updates

Package From To Type Dep Type Vulnerabilities Fixed
golang.org/x/crypto v0.47.0 v0.53.0 minor Transitive 14 CRITICAL, 4 HIGH, 8 MEDIUM
google.golang.org/grpc v1.78.0 v1.82.0 minor Transitive 3 CRITICAL
go.opentelemetry.io/otel/sdk v1.39.0 v1.44.0 minor Transitive 4 HIGH
github.com/go-jose/go-jose/v4 v4.1.3 v4.1.4 patch Transitive 2 HIGH
github.com/moby/spdystream v0.5.0 v0.5.1 patch Transitive 2 HIGH
go.opentelemetry.io/otel v1.39.0 v1.44.0 minor Transitive 1 HIGH
golang.org/x/net v0.49.0 v0.56.0 minor Transitive 2 MEDIUM, 6 UNKNOWN
golang.org/x/sys v0.40.0 v0.46.0 minor Transitive 1 UNKNOWN

Security Details

🚨 Critical & High Severity (30 fixed)
Package CVE Severity Summary Unsafe Version Fixed In Case
golang.org/x/crypto GO-2026-5019 CRITICAL Invoking bypass of FIDO/U2F security keys physical interaction in golang.org/x/crypto/ssh v0.47.0 0.52.0 -
golang.org/x/crypto GO-2026-5023 CRITICAL Invoking VerifiedPublicKeyCallback permissions skip enforcement in golang.org/x/crypto/ssh v0.47.0 0.52.0 -
golang.org/x/crypto GHSA-89gr-r52h-f8rx CRITICAL golang.org/x/crypto/ssh: FIDO/U2F security key physical presence check can be bypassed v0.47.0 - -
golang.org/x/crypto GHSA-rm3j-f69w-wqmq CRITICAL golang.org/x/crypto/ssh vulnerable to infinite loop on large channel writes v0.47.0 - -
golang.org/x/crypto GHSA-f5wc-c3c7-36mc CRITICAL golang.org/x/crypto/ssh/agent doesn't drop invoking agent constraints when forwarding keys v0.47.0 - -
golang.org/x/crypto GO-2026-5021 CRITICAL Invoking auth bypass via unenforced @Revoked status in golang.org/x/crypto/ssh/knownhosts v0.47.0 0.52.0 -
golang.org/x/crypto GHSA-5cgq-3rg8-m6cv CRITICAL golang.org/x/crypto/ssh/knownhosts vulnerable to auth bypass via unenforced @Revoked status v0.47.0 - -
golang.org/x/crypto GO-2026-5006 CRITICAL Invoking agent constraints dropped when forwarding keys in golang.org/x/crypto/ssh/agent v0.47.0 0.52.0 -
golang.org/x/crypto GHSA-vgwf-h737-ff37 CRITICAL golang.org/x/crypto/ssh: Invoking client can cause server deadlock on unexpected responses v0.47.0 - -
golang.org/x/crypto GO-2026-5005 CRITICAL Invoking key constraints not enforced in golang.org/x/crypto/ssh/agent v0.47.0 0.52.0 -
golang.org/x/crypto GHSA-x527-x647-q7gg CRITICAL golang.org/x/crypto/ssh: Invoking VerifiedPublicKeyCallback permissions skip enforcement v0.47.0 - -
golang.org/x/crypto GHSA-jppx-rxg9-jmrx CRITICAL golang.org/x/crypto/ssh/agent doesn't enforce invoking key constraints v0.47.0 - -
golang.org/x/crypto GO-2026-5020 CRITICAL Invoking infinite loop on large channel writes in golang.org/x/crypto/ssh v0.47.0 0.52.0 -
golang.org/x/crypto GO-2026-5017 CRITICAL Invoking client can cause server deadlock on unexpected responses in golang.org/x/crypto/ssh v0.47.0 0.52.0 -
google.golang.org/grpc GHSA-p77j-4mvh-x3m3 CRITICAL gRPC-Go has an authorization bypass via missing leading slash in :path v1.78.0 1.79.3 -
google.golang.org/grpc GO-2026-4762 CRITICAL Authorization bypass in gRPC-Go via missing leading slash in :path in google.golang.org/grpc v1.78.0 1.79.3 -
google.golang.org/grpc CVE-2026-33186 CRITICAL gRPC-Go has an authorization bypass via missing leading slash in :path v1.78.0 - -
github.com/go-jose/go-jose/v4 GO-2026-4945 HIGH Go JOSE Panics in JWE decryption in github.com/go-jose/go-jose v4.1.3 4.1.4 -
github.com/go-jose/go-jose/v4 GHSA-78h2-9frx-2jm8 HIGH Go JOSE Panics in JWE decryption v4.1.3 4.1.4 -
github.com/moby/spdystream GHSA-pc3f-x583-g7j2 HIGH SpdyStream: DOS on CRI v0.5.0 0.5.1 -
github.com/moby/spdystream GO-2026-4958 HIGH Uncontrolled resource consumption when parsing SPDY frames in github.com/moby/spdystream v0.5.0 0.5.1 -
go.opentelemetry.io/otel GHSA-mh2q-q3fh-2475 HIGH OpenTelemetry-Go: multi-value baggage header extraction causes excessive allocations (remote dos amplification) v1.39.0 1.41.0 -
go.opentelemetry.io/otel/sdk GO-2026-4394 high OpenTelemetry Go SDK Vulnerable to Arbitrary Code Execution via PATH Hijacking in go.opentelemetry.io/otel/sdk v1.39.0 1.40.0 -
go.opentelemetry.io/otel/sdk GHSA-hfvc-g4fc-pqhx HIGH opentelemetry-go: BSD kenv command not using absolute path enables PATH hijacking v1.39.0 1.43.0 -
go.opentelemetry.io/otel/sdk GHSA-9h8m-3fm2-qjrq HIGH OpenTelemetry Go SDK Vulnerable to Arbitrary Code Execution via PATH Hijacking v1.39.0 1.40.0 -
go.opentelemetry.io/otel/sdk CVE-2026-24051 high OpenTelemetry-Go Affected by Arbitrary Code Execution via PATH Hijacking v1.39.0 - -
golang.org/x/crypto GHSA-q4h4-gmj2-qvw2 HIGH golang.org/x/crypto/ssh: Invoking byte arithmetic causes underflow and panic v0.47.0 - -
golang.org/x/crypto GO-2026-5018 HIGH Invoking pathological RSA/DSA parameters may cause DoS in golang.org/x/crypto/ssh v0.47.0 0.52.0 -
golang.org/x/crypto GHSA-w879-237q-wc7r HIGH golang.org/x/crypto/ssh: Invoking pathological RSA/DSA parameters may cause DoS v0.47.0 - -
golang.org/x/crypto GO-2026-5013 HIGH Invoking byte arithmetic causes underflow and panic in golang.org/x/crypto/ssh v0.47.0 0.52.0 -
ℹ️ Other Vulnerabilities (17)
Package CVE Severity Summary Unsafe Version Fixed In Case
golang.org/x/crypto GO-2026-5033 MODERATE Invoking pathological inputs can lead to client panic in golang.org/x/crypto/ssh/agent v0.47.0 0.52.0 -
golang.org/x/crypto GHSA-qpw4-5x99-6vjp MODERATE golang.org/x/crypto/ssh: Invoking memory leak when rejecting channels can lead to DoS v0.47.0 - -
golang.org/x/crypto GHSA-9m57-25v3-79x9 MODERATE golang.org/x/crypto/ssh/agent: Invoking pathological inputs can lead to client panic v0.47.0 - -
golang.org/x/crypto GO-2026-5015 MODERATE Invoking server panic during CheckHostKey/Authenticate in golang.org/x/crypto/ssh v0.47.0 0.52.0 -
golang.org/x/crypto GHSA-78mq-xcr3-xm33 MODERATE golang.org/x/crypto/ssh is vulnerable to invoking server panic during CheckHostKey/Authenticate flow v0.47.0 - -
golang.org/x/crypto GO-2026-5014 MODERATE Invoking bypass of certificate restrictions in golang.org/x/crypto/ssh v0.47.0 0.52.0 -
golang.org/x/crypto GHSA-45gg-vh54-h5m9 MODERATE golang.org/x/crypto/ssh vulnerable to invoking bypass of certificate restrictions v0.47.0 - -
golang.org/x/crypto GO-2026-5016 MODERATE Invoking memory leak when rejecting channels can lead to DoS in golang.org/x/crypto/ssh v0.47.0 0.52.0 -
golang.org/x/net GHSA-5cv4-jp36-h3mw MODERATE Go Net HTML parser is vulnerable to denial of service v0.49.0 0.55.0 -
golang.org/x/net GO-2026-5028 MODERATE Invoking denial of service when parsing arbitrary HTML in golang.org/x/net/html v0.49.0 0.55.0 -
golang.org/x/net GO-2026-5029 unknown Invoking incorrect handling of character references in DOCTYPE nodes in golang.org/x/net/html v0.49.0 0.55.0 -
golang.org/x/net GO-2026-5026 unknown Invoking failure to reject ASCII-only Punycode-encoded labels in golang.org/x/net/idna v0.49.0 0.55.0 -
golang.org/x/net GO-2026-4918 unknown Infinite loop in HTTP/2 transport when given bad SETTINGS_MAX_FRAME_SIZE in net/http/internal/http2 in golang.org/x/net v0.49.0 0.53.0 -
golang.org/x/net GO-2026-5027 unknown Invoking incorrect handling of HTML elements in foreign content in golang.org/x/net/html v0.49.0 0.55.0 -
golang.org/x/net GO-2026-5030 unknown Invoking duplicate attributes can cause XSS in golang.org/x/net/html v0.49.0 0.55.0 -
golang.org/x/net GO-2026-5025 unknown Invoking incorrect handling of namespaced elements in foreign content in golang.org/x/net/html v0.49.0 0.55.0 -
golang.org/x/sys GO-2026-5024 unknown Invoking integer overflow in NewNTUnicodeString in golang.org/x/sys/windows v0.40.0 0.44.0 -

Review Checklist

Standard review:

  • Review changes for compatibility with your code
  • Check for breaking changes in release notes
  • Run tests locally or wait for CI
  • Approve and merge this PR

Update Mode: all_vulns

🤖 Generated by DataDog Automated Dependency Management System

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants