Overview

File update-crypto-cve-2025-47913.patch of Package act

From: Matthias Eliasson <elimat@opensuse.org>
Date: Sat Nov 16 21:00:00 UTC 2025
Subject: Update golang.org/x/crypto to fix SSH agent DoS vulnerability
References: bsc#1253608
Upstream: no (dependency version update)

Update golang.org/x/crypto from v0.37.0 to v0.43.0 to fix CVE-2025-47913
(GO-2025-4116). SSH clients receiving SSH_AGENT_SUCCESS when expecting a
typed response will panic and cause early termination of the client process.

The vulnerability affects pkg/runner/action_cache.go which uses SSH agent
functions via go-git. The fix was introduced in golang.org/x/crypto v0.43.0.

See:
- https://pkg.go.dev/vuln/GO-2025-4116
- https://go.dev/issue/75178
- https://go.dev/cl/700295

This also updates related golang.org/x dependencies to maintain compatibility:
- golang.org/x/term: v0.35.0 -> v0.36.0
- golang.org/x/net: v0.39.0 -> v0.45.0
- golang.org/x/sync: v0.13.0 -> v0.17.0
- golang.org/x/sys: v0.36.0 -> v0.37.0
- golang.org/x/text: v0.24.0 -> v0.30.0

---
 go.mod | 11 ++++++-----
 1 file changed, 6 insertions(+), 5 deletions(-)

--- go.mod.orig
+++ go.mod
@@ -29,7 +29,7 @@ require (
 	github.com/stretchr/testify v1.11.1
 	github.com/timshannon/bolthold v0.0.0-20240314194003-30aac6950928
 	go.etcd.io/bbolt v1.4.3
-	golang.org/x/term v0.35.0
+	golang.org/x/term v0.36.0
 	gopkg.in/yaml.v3 v3.0.1
 	gotest.tools/v3 v3.5.2
 )
@@ -100,12 +100,12 @@ require (
 	go.opentelemetry.io/otel/metric v1.33.0 // indirect
 	go.opentelemetry.io/otel/sdk v1.28.0 // indirect
 	go.opentelemetry.io/otel/trace v1.33.0 // indirect
-	golang.org/x/crypto v0.37.0 // indirect
+	golang.org/x/crypto v0.43.0 // indirect
 	golang.org/x/exp v0.0.0-20240909161429-701f63a606c0 // indirect
-	golang.org/x/net v0.39.0 // indirect
-	golang.org/x/sync v0.13.0 // indirect
-	golang.org/x/sys v0.36.0 // indirect
-	golang.org/x/text v0.24.0 // indirect
+	golang.org/x/net v0.45.0 // indirect
+	golang.org/x/sync v0.17.0 // indirect
+	golang.org/x/sys v0.37.0 // indirect
+	golang.org/x/text v0.30.0 // indirect
 	golang.org/x/time v0.6.0 // indirect
 	google.golang.org/genproto/googleapis/api v0.0.0-20240814211410-ddb44dafa142 // indirect
 	gopkg.in/warnings.v0 v0.1.2 // indirect
openSUSE Build Service is sponsored by
Places