New CVEs need to be applied for Gosu: CVE-2022-24675, CVE-2022-27191, CVE-2022-28327

[marcosbc]

Hi! We have got a report that the following CVEs, which do not appear in https://github.com/tianon/gosu/issues/104:

• CVE-2022-24675: encoding/pem in Go before 1.17.9 and 1.18.x before 1.18.1 has a Decode stack overflow via a large amount of PEM data
• CVE-2022-27191: The golang.org/x/crypto/ssh package before 0.0.0-20220314234659-1baeb1ce4c0b for Go allows an attacker to crash a server in certain circumstances involving AddHostKey.
• CVE-2022-28327: The generic P-256 feature in crypto/elliptic in Go before 1.17.9 and 1.18.x before 1.18.1 allows a panic via long scalar input.

Is Gosu affected by any of these issues? Thanks!

[tianon]

Thanks! Updated #104:

• CVE-2022-24675: does not use encoding/pem (#108)
• CVE-2022-27191: does not use golang.org/x/crypto/ssh (#108)
• CVE-2022-28327: does not use crypto/elliptic (#108)