search

scrapli / scrapligo

scrapli, but in go!
MIT License
258 stars 42 forks source link

Discussion around the dependency version of crypto package #191

Closed cdot65 closed 3 months ago

cdot65 commented 3 months ago

Hello, I would like to understand what we can do to move past version 0.6.0 of the crypto package.

I believe that I understand correctly that moving past 0.7.0 is unsupported if we are trying to maintain support of Go versions 1.16 and older. My concern with this approach is that the current implemented version of 0.6.0 has a vulnerability that is affecting my ability to push my project into customer environments.

Dependency go:golang.org/x/crypto:v0.6.0 is vulnerable

Upgrade to 0.23.0

CVE-2023-48795, Score: 5.9

The SSH transport protocol with certain OpenSSH extensions, found in OpenSSH before 9.6 and other products, allows remote attackers to bypass integrity checks such that some packets are omitted (from the extension negotiation message), and a client and server may consequently end up with a connection for which some security features have been downgraded or disabled, aka a Terrapin attack. This occurs because the SSH Binary Packet Protocol (BPP), implemented by these extensions, mishandles the handshake phase and mishandles the use of sequence numbers. For example, there is an effective attack against SSH's use of "ChaCha20-Poly1305 (and CBC with Encrypt-then-MAC)". The bypass occurs in "chacha20-poly1305@openssh.com" and (if CBC is used) the "-etm@openssh.com" MAC algorithms. This vulnerability affects Go-github.com/golang/crypto package versions prior to 0.17.0, Python-paramiko package versions prior to 3.4.0 and Python-asyncssh package versions prior to 2.14.2, CPP-libssh2 package all verisons, CPP-libssh package versions prior to 0.9.8, and 0.10.x verison prior to 0.10.6, NPM-ssh2 package verisons 1.15.0, Maven-com.github.mwiede:jsch package verisons prior to 0.2.15, Php-phpseclib/phpseclib package version prior to 1.0.22 , 2.0.x prior to 2.0.46 , 3.0.x prior to 3.0.35.

Read More: https://devhub.checkmarx.com/cve-details/CVE-2023-48795?utm_source=jetbrains&utm_medium=referral

CVE-2023-42818, Score: 9.8

JumpServer is an open source bastion host. When users enable MFA and use a public key for authentication, the Koko SSH server does not verify the corresponding SSH private key. An attacker could exploit a vulnerability by utilizing a disclosed public key to attempt brute-force authentication against the SSH service This issue has been patched in versions 3.6.5 and 3.5.6. Users are advised to upgrade. There are no known workarounds for this issue.

Read More: https://devhub.checkmarx.com/cve-details/CVE-2023-42818?utm_source=jetbrains&utm_medium=referral

Results powered by Checkmarx ©

Are there any plans to upgrade this dependency in the future, even if at the cost of dropping support for older versions of Go?

carlmontanari commented 3 months ago

yeah seems reasonable. folks can pin back to whatever version they want (and should be doing that anyway) so lets do it? :) kinda lame that it looks like we have to go all the way to 1.20 for the ecdh package in order for crypto pin to be happy but again... pin your stuff and I guess its ok! closing here then you can +1 the pr or comment as needed once thats open (soon)