Skip to content

RDODCP-915: Security patches and dependency updates#54

Closed
anurag-outsystems wants to merge 1 commit into
masterfrom
RDODCP-915-CH
Closed

RDODCP-915: Security patches and dependency updates#54
anurag-outsystems wants to merge 1 commit into
masterfrom
RDODCP-915-CH

Conversation

@anurag-outsystems
Copy link
Copy Markdown

@anurag-outsystems anurag-outsystems commented May 26, 2026
edited
Loading

Summary

Security patches for 11 vulnerabilities found by govulncheck and dependency updates.

Changes

  • Update Go to 1.26.3 (fixes 3 stdlib vulnerabilities)
  • Update golang.org/x/crypto v0.50.0 → v0.52.0 (fixes 6 vulnerabilities)
  • Update golang.org/x/net v0.53.0 → v0.55.0 (fixes 1 vulnerability)
  • Update other golang.org/x packages:
    • golang.org/x/sys v0.43.0 → v0.45.0
    • golang.org/x/text v0.36.0 → v0.37.0
    • golang.org/x/term v0.42.0 → v0.43.0
  • Update github.com/fsnotify/fsnotify v1.10.0 → v1.10.1

Vulnerabilities Fixed

golang.org/x/crypto (6 CVEs)

  • GO-2026-5023: VerifiedPublicKeyCallback permissions skip enforcement
  • GO-2026-5020: SSH infinite loop on large channel writes
  • GO-2026-5019: FIDO/U2F security key bypass
  • GO-2026-5018: DoS via pathological RSA/DSA parameters
  • GO-2026-5017: SSH server deadlock on unexpected responses
  • GO-2026-5014: Certificate restrictions bypass
  • GO-2026-5013: Byte arithmetic underflow panic

golang.org/x/net (1 CVE)

  • GO-2026-5026: Failure to reject ASCII-only Punycode-encoded labels

Go stdlib (3 CVEs)

  • GO-2026-4976: ReverseProxy forwards queries with excessive parameters
  • GO-2026-4971: Panic in Dial/LookupPort with NUL byte on Windows
  • GO-2026-4918: HTTP/2 infinite loop with bad SETTINGS_MAX_FRAME_SIZE

Test Plan

  • Build succeeds (go build)
  • End-to-end tests pass (all tests in test/e2e)
  • No breaking changes to functionality

Note on Test Failure

The TestCustomHeaders test in client/client_test.go fails on both master and this branch (port binding issue). This is a pre-existing flaky test, unrelated to the dependency updates.

@anurag-outsystems
RDODCP-915: Security patch for chisel dependencies
e5bf83e 
  Update Go to 1.26.3 and patch 11 vulnerabilities:
  - 6 in golang.org/x/crypto (v0.50.0 → v0.52.0)
  - 1 in golang.org/x/net (v0.53.0 → v0.55.0)
  - 3 in Go stdlib (go1.26.2 → go1.26.3)

  Additional dependency updates for maintenance:
  - golang.org/x/sys v0.43.0 → v0.45.0
  - golang.org/x/text v0.36.0 → v0.37.0
  - golang.org/x/term v0.42.0 → v0.43.0
  - github.com/fsnotify/fsnotify v1.10.0 → v1.10.1
@anurag-outsystems anurag-outsystems requested a review from a team as a code owner May 26, 2026 05:21
@anurag-outsystems anurag-outsystems added the bug Something isn't working label May 26, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

bug Something isn't working

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@anurag-outsystems