CRITICAL 9.1

GHSA-jppx-rxg9-jmrx

golang.org/x/crypto/ssh/agent doesn't enforce invoking key constraints

상세

The in-memory keyring returned by NewKeyring() silently accepted keys with the ConfirmBeforeUse constraint but never enforced it. The key would sign without any confirmation prompt, with no indication to the caller that the constraint was not in effect. NewKeyring() now returns an error when unsupported constraints are requested.

이 버전이 영향받나요?

사용 중인 패키지 버전을 입력하면 즉시 평가합니다.

영향 패키지

Go / golang.org/x/crypto/ssh/agent

최초 영향 버전: 0 수정 버전: 0.52.0

수정 go get golang.org/x/crypto/ssh/agent@v0.52.0

참고

https://nvd.nist.gov/vuln/detail/CVE-2026-39833 [ADVISORY]
https://cs.opensource.google/go/x/crypto [PACKAGE]
https://go.dev/cl/778640 [WEB]
https://go.dev/cl/778641 [WEB]
https://go.dev/issue/79436 [WEB]
https://groups.google.com/g/golang-announce/c/a082jnz-LvI [WEB]
https://pkg.go.dev/vuln/GO-2026-5005 [WEB]