From c554d9c724475a5e43b5ffa1f84efd6ca68b9c7a Mon Sep 17 00:00:00 2001 From: Denis Mishin Date: Thu, 4 Jan 2024 20:36:39 -0500 Subject: [PATCH] terrapin reference Co-authored-by: Kenneth Jenkins <51246568+kenjenkins@users.noreply.github.com> --- changelogs/v0.25.0.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/changelogs/v0.25.0.md b/changelogs/v0.25.0.md index fe7e7e7fd..51cbda7b7 100644 --- a/changelogs/v0.25.0.md +++ b/changelogs/v0.25.0.md @@ -102,7 +102,7 @@ Changes that are expected to cause an incompatibility. * bump github.com/prometheus/common from 0.44.0 to 0.45.0 by @dependabot in https://github.com/pomerium/pomerium/pull/4686 * bump distroless/base from `46c5b9b` to `b31a6e0` in /.github by @dependabot in https://github.com/pomerium/pomerium/pull/4670 * zero/openapi: pin v1.0.0 of a runtime by @wasaga in https://github.com/pomerium/pomerium/pull/4851 -* bump golang.org/x/crypto from 0.16.0 to 0.17.0 by @dependabot in https://github.com/pomerium/pomerium/pull/4860 +* bump golang.org/x/crypto from 0.16.0 to 0.17.0 by @dependabot in https://github.com/pomerium/pomerium/pull/4860. This includes a patch for [GO-2023-2402](https://pkg.go.dev/vuln/GO-2023-2402) / [CVE-2023-48795](https://github.com/advisories/GHSA-45x7-px36-x8w8) (Terrapin). Note that Pomerium does not use the affected [golang.org/x/crypto/ssh](https://pkg.go.dev/golang.org/x/crypto/ssh) package from this module. * bump github.com/spf13/viper from 1.16.0 to 1.18.2 by @dependabot in https://github.com/pomerium/pomerium/pull/4861 * bump github.com/aws/aws-sdk-go-v2 from 1.22.2 to 1.24.0 by @dependabot in https://github.com/pomerium/pomerium/pull/4840 * bump docker/metadata-action from 5.3.0 to 5.4.0 by @dependabot in https://github.com/pomerium/pomerium/pull/4891