Bump golang.org/x/crypto from 0.27.0 to 0.31.0

[dependabot]

Bumps golang.org/x/crypto from 0.27.0 to 0.31.0.

Commits

• b4f1988 ssh: make the public key cache a 1-entry FIFO cache
• 7042ebc openpgp/clearsign: just use rand.Reader in tests
• 3e90321 go.mod: update golang.org/x dependencies
• 8c4e668 x509roots/fallback: update bundle
• 6018723 go.mod: update golang.org/x dependencies
• 71ed71b README: don't recommend go get
• 750a45f sha3: add MarshalBinary, AppendBinary, and UnmarshalBinary
• 36b1725 sha3: avoid trailing permutation
• 80ea76e sha3: fix padding for long cSHAKE parameters
• c17aa50 sha3: avoid buffer copy
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  You can disable automated security fix PRs for this repo from the Security Alerts page.

Summary by CodeRabbit

• Chores
  • Updated various underlying dependencies to their latest versions to improve performance, stability, and incorporate upstream fixes.
  • Introduced an additional module to enhance functionality.

[coderabbitai]

Walkthrough

The go.mod file has been updated with newer dependency versions. Specifically, the versions for golang.org/x/sync, golang.org/x/crypto, and golang.org/x/sys have been increased, while golang.org/x/text was added. In addition, several indirect dependencies related to Apache Arrow for Go have been updated. These changes reflect routine dependency management adjustments.

Changes

File(s)	Change Summary
go.mod	Updated dependency versions: - golang.org/x/sync: 0.8.0 → 0.10.0 - golang.org/x/crypto: 0.27.0 → 0.31.0 - golang.org/x/sys: 0.25.0 → 0.28.0 Added: golang.org/x/text v0.21.0 Updated indirect dependencies for Apache Arrow (go/v13 and go/v14)

Poem

I'm a rabbit, hopping through the code,
Where dependencies bloom in a neat, fresh mode.
From sync to crypto, my steps are light,
New versions glisten in the soft moonlight.
With every update, I do a joyful leap—
Carrots and clean code, a harvest to keep!

Warning

There were issues while running some tools. Please review the errors and either fix the tool’s configuration or disable the tool if it’s a critical failure.

🔧 golangci-lint (1.62.2)

level=warning msg="[config_reader] The configuration option run.skip-dirs is deprecated, please use issues.exclude-dirs."
level=warning msg="[config_reader] The configuration option linters.errcheck.ignore is deprecated, please use linters.errcheck.exclude-functions."
Error: can't load config: the Go language version (go1.23) used to build golangci-lint is lower than the targeted Go version (1.24)
Failed executing command with error: can't load config: the Go language version (go1.23) used to build golangci-lint is lower than the targeted Go version (1.24)

---

📜 Recent review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between e45be48 and 57e4c03.

⛔ Files ignored due to path filters (1)

• go.sum is excluded by !**/*.sum

📒 Files selected for processing (1)

• go.mod (3 hunks)

⏰ Context from checks skipped due to timeout of 90000ms (1)

• GitHub Check: Check Commit

🔇 Additional comments (2)

go.mod (2)

158-158: LGTM! The dependency updates look good.

The changes are well-structured and include necessary updates to related packages:

• Primary update: golang.org/x/crypto from v0.27.0 to v0.31.0
• Related updates:
  • golang.org/x/sync to v0.10.0
  • golang.org/x/sys to v0.28.0
  • golang.org/x/text to v0.21.0

Also applies to: 250-250, 284-285

---

158-158:

❓ Verification inconclusive

Verify compatibility and security implications of the version updates.

The updates look good and align with the PR objectives. Let's verify the compatibility and security implications of these version updates:

Also applies to: 250-250, 284-285

---

🌐 Web query:

Are there any known security vulnerabilities in golang.org/x/crypto v0.31.0?

💡 Result:

The golang.org/x/crypto package version v0.31.0 was released on December 11, 2024, specifically to address CVE-2024-45337, a critical authorization bypass vulnerability caused by misuse of the ServerConfig.PublicKeyCallback function[1][4][7]. Here's a detailed breakdown:

Key Findings

1. CVE-2024-45337 Fix:

   • Vulnerability: Incorrect implementation of PublicKeyCallback allowed attackers to bypass SSH authentication by manipulating public key validation logic[1][7][10].
   • Resolution: Version 0.31.0 enforces that the last key passed to PublicKeyCallback during successful authentication is used for the connection, preventing unauthorized access[2][4].

2. No New Vulnerabilities Reported:

   • As of February 13, 2025, there are no known security vulnerabilities specific to v0.31.0 in the analyzed sources[6][9]. Snyk’s vulnerability database shows no unresolved issues for this version[6].

Recommendations

• Update Confirmation: If you’re already using v0.31.0, you’ve mitigated CVE-2024-45337[1][4].
• Ongoing Monitoring: Use tools like Vulert or Snyk to track future advisories[5][7].

For applications previously affected by CVE-2024-45337 (e.g., NanoProxy), upgrading to v0.31.0 resolves the issue[3].

Citations:

• 1: https://vulert.com/vuln-db/CVE-2024-45337
• 2: x/crypto/ssh: misuse of ServerConfig.PublicKeyCallback may cause authorization bypass golang/go#70779
• 3: GHSA-7prj-hgx4-2xc3
• 4: https://devcenter.upsun.com/posts/cve-2024-45337/
• 5: https://jarosz.dev/code/how-to-handle-go-security-alerts/
• 6: https://security.snyk.io/package/golang/golang.org%2Fx%2Fcrypto
• 7: https://vulert.com/vuln-db/go-golang-org-x-crypto-177018
• 8: Vulnerabilities detected kyverno/kyverno#11747
• 9: https://nvd.nist.gov/vuln/search/results?form_type=Basic&results_type=overview&query=golang&search_type=all
• 10: https://platform.sh/blog/uncovered-and-patched-golang-vunerability/

---

🌐 Web query:

What are the breaking changes between golang.org/x/crypto v0.27.0 and v0.31.0?

💡 Result:

The breaking changes between golang.org/x/crypto v0.27.0 and v0.31.0 primarily involve security fixes and behavioral adjustments in SSH authentication handling:

---

Security Fixes with Breaking Changes

SSH ServerConfig.PublicKeyCallback Behavior

• Authorization bypass mitigation: Applications misusing ServerConfig.PublicKeyCallback may see altered behavior[4][5][8].
  • Old behavior: The callback could be invoked with multiple keys during authentication attempts, even if the client didn’t prove ownership of those keys[4].
  • New behavior (v0.31.0+): The last key passed to PublicKeyCallback will always be the one used for successful authentication[4][8]. This enforces stricter validation but breaks applications relying on external state from earlier callback invocations[8].

Required Code Updates

• Applications must now use the Permissions field (via ServerConn.Permissions) to track authentication state instead of external variables[8].
• Third-party libraries sharing Permissions across authentication attempts may require updates[8].

---

Other Breaking Changes in Dependent Modules

Testcontainers-Go (Indirect Impact)

• Container termination: container.Terminate(ctx) now requires variadic termination options[3]. Code assigning this method to variables will break[3].
• Functional options: Modules like GCloud’s WithProjectID now return errors, requiring error handling in custom options[3].

Crypto Dependency Upgrades

• Projects using older versions of golang.org/x/crypto (e.g., <v0.31.0) may face forced upgrades due to security exclusions (e.g., replace directives in go.mod files)[1][10].

---

Summary: The most critical breaking change is the SSH authentication flow adjustment in v0.31.0, requiring code audits for proper use of PublicKeyCallback. Indirect breaks may occur in projects depending on updated modules like Testcontainers-Go[3][10].

Citations:

• 1: https://github.com/cyberark/secrets-provider-for-k8s/blob/main/go.mod
• 2: https://gitlab.com/gitlab-org/gitlab-shell/-/merge_requests/1214
• 3: https://github.com/testcontainers/testcontainers-go/releases
• 4: https://groups.google.com/g/golang-announce/c/-nPEi39gI4Q
• 5: https://vulert.com/vuln-db/go-golang-org-x-crypto-177018
• 6: https://go.dev/doc/devel/release
• 7: https://thanos.io/v0.2/thanos/changelog.md/
• 8: x/crypto/ssh: misuse of ServerConfig.PublicKeyCallback may cause authorization bypass golang/go#70779
• 9: https://docs.buoyant.io/release-notes/buoyant-extension/
• 10: golang.org/x/crypto version is vulnerable to exploit Azure/azure-storage-fuse#1593

---

Action: Validate updated dependency versions and review SSH authentication usage

The dependency updates align with the PR objectives. In particular, note:

• golang.org/x/crypto v0.31.0 now resolves CVE-2024-45337 by enforcing that the last key passed to ServerConfig.PublicKeyCallback is used, which mitigates the previous authorization bypass vulnerability.
• This security fix introduces a breaking change compared to v0.27.0 that may affect code relying on multiple callback invocations or external state for authentication. Please verify that SSH authentication logic correctly handles this change.
• The accompanying updates to golang.org/x/sync, golang.org/x/sys, and golang.org/x/text appear to be transitive adjustments; however, double-check their integration with your codebase.

Review file: go.mod (lines 158, 250, 284–285) to ensure all dependency usages remain compatible with these changes.

---

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Generate unit testing code for this file.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai generate unit testing code for this file.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and generate unit testing code.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai generate docstrings to generate docstrings for this PR. (Beta)
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.