diff options
| author | Gusted <postmaster@gusted.xyz> | 2024-12-11 23:14:27 +0100 |
|---|---|---|
| committer | Earl Warren <contact@earl-warren.org> | 2024-12-12 05:54:07 +0100 |
| commit | 3e1b03838e455d88089b4d6683443e1adfb4752e (patch) | |
| tree | 72360b261429668bdcab44e64dcba612b89907e6 /go.mod | |
| parent | Merge pull request 'Update dependency katex to v0.16.15 (forgejo)' (#6229) fr... (diff) | |
| download | forgejo-3e1b03838e455d88089b4d6683443e1adfb4752e.tar.xz forgejo-3e1b03838e455d88089b4d6683443e1adfb4752e.zip | |
fix: ensure correct ssh public key is used for authentication
- The root cause is described in https://github.com/golang/crypto/commit/b4f1988a35dee11ec3e05d6bf3e90b695fbd8909
- Move to a fork of `github.com/gliderlabs/ssh` that exposes the
permissions that was chosen by `x/crypto/ssh` after succesfully
authenticating, this is the recommended mitigation by the Golang
security team. The fork exposes this, since `gliderlabs/ssh` instead
relies on context values to do so, which is vulnerable to the same
attack, although partially mitigated by the fix in `x/crypto/ssh` it
would not be good practice and defense deep to rely on it.
- Existing tests covers that the functionality is preserved.
- No tests are added to ensure it fixes the described security, the
exploit relies on non-standard SSH behavior it would be too hard to
craft SSH packets to exploit this.
Diffstat (limited to 'go.mod')
| -rw-r--r-- | go.mod | 2 |
1 files changed, 2 insertions, 0 deletions
@@ -301,3 +301,5 @@ replace github.com/nektos/act => code.forgejo.org/forgejo/act v1.22.0 replace github.com/mholt/archiver/v3 => code.forgejo.org/forgejo/archiver/v3 v3.5.1 replace github.com/goccy/go-json => github.com/grafana/go-json v0.0.0-20241210211703-a119ee5a0a3b + +replace github.com/gliderlabs/ssh => code.forgejo.org/forgejo/ssh v0.0.0-20241211213324-5fc306ca0616 |