Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

chore(deps): Bump golang.org/x/crypto from 0.29.0 to 0.31.0 #16311

Closed
wants to merge 1 commit into from
Closed

chore(deps): Bump golang.org/x/crypto from 0.29.0 to 0.31.0 #16311

wants to merge 1 commit into from

Conversation

orgads
Copy link

@orgads orgads commented Dec 16, 2024

Backport of #16297.

Fixes CVE-2024-45337. See golang/go#70779.

(cherry picked from commit 36553ae)

  • No AI generated code was used in this PR

@telegraf-tiger telegraf-tiger bot added the chore label Dec 16, 2024
@telegraf-tiger
Copy link
Contributor

Warning: this pull request is targeting a branch other than master (release-1.33)

@telegraf-tiger
Copy link
Contributor

Download PR build artifacts for linux_amd64.tar.gz, darwin_arm64.tar.gz, and windows_amd64.zip.
Downloads for additional architectures and packages are available below.

🥳 This pull request decreases the Telegraf binary size by -1.76 % for linux amd64 (new size: 268.8 MB, nightly size 273.6 MB)

📦 Click here to get additional PR build artifacts

Artifact URLs

DEB RPM TAR GZ ZIP
amd64.deb aarch64.rpm darwin_amd64.tar.gz windows_amd64.zip
arm64.deb armel.rpm darwin_arm64.tar.gz windows_arm64.zip
armel.deb armv6hl.rpm freebsd_amd64.tar.gz windows_i386.zip
armhf.deb i386.rpm freebsd_armv7.tar.gz
i386.deb ppc64le.rpm freebsd_i386.tar.gz
mips.deb riscv64.rpm linux_amd64.tar.gz
mipsel.deb s390x.rpm linux_arm64.tar.gz
ppc64el.deb x86_64.rpm linux_armel.tar.gz
riscv64.deb linux_armhf.tar.gz
s390x.deb linux_i386.tar.gz
linux_mips.tar.gz
linux_mipsel.tar.gz
linux_ppc64le.tar.gz
linux_riscv64.tar.gz
linux_s390x.tar.gz

@jdstrand
Copy link
Contributor

jdstrand commented Dec 16, 2024
edited
Loading

@orgads - thanks for the PR! I'll let the telegraf team comment further, but I'll say that this issue doesn't affect telegraf because the issue deals with golang.org/x/crypto/ssh when operating as an SSH server, which telegraf does not do (telegraf only operates as an SSH client). Furthermore, while telegraf does indirectly import some server functions, it does not import (indirectly or otherwise) the affected PublicKeyCallback API.

As you referenced, #16297 was merged to fix this (and therefore it is queued for the upcoming 1.33.1 release). Since this issue doesn't affect telegraf, IMO we don't need to do an out-of-cycle emergency update in prior versions. cc @srebhan and @DStrand1

@orgads
Copy link
Author

orgads commented Dec 16, 2024

I'm not familiar with how you manage the branches. Isn't 1.33.1 released from release-1.33 branch?

@DStrand1
Copy link
Member

I'm not familiar with how you manage the branches. Isn't 1.33.1 released from release-1.33 branch?

We release from the master branch, so all new PRs go there. We got this dependency bumped in #16297. Thanks for the PR effort though!

@DStrand1 DStrand1 closed this Dec 16, 2024
@orgads orgads deleted the CVE-2024-45337 branch December 16, 2024 16:01
@orgads
Copy link
Author

orgads commented Dec 16, 2024

No problem, thank you.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
chore
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@orgads @jdstrand @DStrand1