mirror of
https://gitea.com/gitea/act_runner.git
synced 2026-06-13 13:24:23 +02:00
740a3d4db4
Updates `golang.org/x/crypto` from `v0.50.0` to `v0.52.0` (and `golang.org/x/net` from `v0.53.0` to `v0.54.0` as a transitive bump). ## Why `make security-check` (govulncheck) reported **7 vulnerabilities**, all in `golang.org/x/crypto/ssh` at `v0.50.0`, reachable through the git action cache fetch path (`act/runner/action_cache.go` → `git.Remote.FetchContext`): | ID | Issue | | --- | --- | | GO-2026-5013 | Byte arithmetic underflow/panic in `ssh` | | GO-2026-5015 | Server panic during `CheckHostKey`/`Authenticate` | | GO-2026-5017 | Client can cause server deadlock on unexpected responses | | GO-2026-5018 | Pathological RSA/DSA parameters may cause DoS | | GO-2026-5019 | Bypass of FIDO/U2F physical interaction | | GO-2026-5020 | Infinite loop on large channel writes | | GO-2026-5021 | Auth bypass via unenforced `@revoked` status in `knownhosts` | All are fixed in `v0.52.0`. Reviewed-on: https://gitea.com/gitea/runner/pulls/1027 Reviewed-by: techknowlogick <9+techknowlogick@noreply.gitea.com>
4.7 KiB
4.7 KiB