data/reports: modify 2 reports

thatnealpatel · gopherbot · commit 88dcc341ad04 · 2025-11-20T08:52:31.000-08:00
- data/reports/GO-2025-4134.yaml - data/reports/GO-2025-4135.yaml Updates #4134 Updates #4135 Fixes #4143 Fixes #4145 Change-Id: Ief26a0b20435e027c3b8dab6ef810d1b2abc848d Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/722381 Auto-Submit: Neal Patel <nealpatel@google.com> LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> Reviewed-by: Roland Shoemaker <roland@golang.org>
diff --git a/data/cve/v5/GO-2025-4134.json b/data/cve/v5/GO-2025-4134.json
@@ -9,7 +9,7 @@
       "providerMetadata": {
         "orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc"
       },
-      "title": "CVE-2025-58181 in golang.org/x/crypto/ssh",
+      "title": "Unbounded memory consumption in golang.org/x/crypto/ssh",
       "descriptions": [
         {
           "lang": "en",
@@ -22,6 +22,14 @@
           "product": "golang.org/x/crypto/ssh",
           "collectionURL": "https://pkg.go.dev",
           "packageName": "golang.org/x/crypto/ssh",
+          "versions": [
+            {
+              "version": "0",
+              "lessThan": "0.45.0",
+              "status": "affected",
+              "versionType": "semver"
+            }
+          ],
           "programRoutines": [
             {
               "name": "parseGSSAPIPayload"
@@ -30,7 +38,7 @@
               "name": "NewServerConn"
             }
           ],
-          "defaultStatus": "affected"
+          "defaultStatus": "unaffected"
         }
       ],
       "problemTypes": [
diff --git a/data/cve/v5/GO-2025-4135.json b/data/cve/v5/GO-2025-4135.json
@@ -9,7 +9,7 @@
       "providerMetadata": {
         "orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc"
       },
-      "title": "CVE-2025-47914 in golang.org/x/crypto/ssh/agent",
+      "title": "Malformed constraint may cause denial of service in golang.org/x/crypto/ssh/agent",
       "descriptions": [
         {
           "lang": "en",
@@ -22,6 +22,14 @@
           "product": "golang.org/x/crypto/ssh/agent",
           "collectionURL": "https://pkg.go.dev",
           "packageName": "golang.org/x/crypto/ssh/agent",
+          "versions": [
+            {
+              "version": "0",
+              "lessThan": "0.45.0",
+              "status": "affected",
+              "versionType": "semver"
+            }
+          ],
           "programRoutines": [
             {
               "name": "parseConstraints"
@@ -33,7 +41,7 @@
               "name": "ServeAgent"
             }
           ],
-          "defaultStatus": "affected"
+          "defaultStatus": "unaffected"
         }
       ],
       "problemTypes": [
diff --git a/data/osv/GO-2025-4134.json b/data/osv/GO-2025-4134.json
@@ -4,9 +4,10 @@
   "modified": "0001-01-01T00:00:00Z",
   "published": "0001-01-01T00:00:00Z",
   "aliases": [
-    "CVE-2025-58181"
+    "CVE-2025-58181",
+    "GHSA-j5w8-q4qc-rx2x"
   ],
-  "summary": "CVE-2025-58181 in golang.org/x/crypto/ssh",
+  "summary": "Unbounded memory consumption in golang.org/x/crypto/ssh",
   "details": "SSH servers parsing GSSAPI authentication requests do not validate the number of mechanisms specified in the request, allowing an attacker to cause unbounded memory consumption.",
   "affected": [
     {
@@ -20,6 +21,9 @@
           "events": [
             {
               "introduced": "0"
+            },
+            {
+              "fixed": "0.45.0"
             }
           ]
         }
@@ -33,19 +37,6 @@
               "parseGSSAPIPayload"
             ]
           }
-        ],
-        "custom_ranges": [
-          {
-            "type": "ECOSYSTEM",
-            "events": [
-              {
-                "introduced": "0"
-              },
-              {
-                "fixed": "0.45.0"
-              }
-            ]
-          }
         ]
       }
     }
diff --git a/data/osv/GO-2025-4135.json b/data/osv/GO-2025-4135.json
@@ -4,9 +4,10 @@
   "modified": "0001-01-01T00:00:00Z",
   "published": "0001-01-01T00:00:00Z",
   "aliases": [
-    "CVE-2025-47914"
+    "CVE-2025-47914",
+    "GHSA-f6x5-jh6r-wrfv"
   ],
-  "summary": "CVE-2025-47914 in golang.org/x/crypto/ssh/agent",
+  "summary": "Malformed constraint may cause denial of service in golang.org/x/crypto/ssh/agent",
   "details": "SSH Agent servers do not validate the size of messages when processing new identity requests, which may cause the program to panic if the message is malformed due to an out of bounds read.",
   "affected": [
     {
@@ -20,6 +21,9 @@
           "events": [
             {
               "introduced": "0"
+            },
+            {
+              "fixed": "0.45.0"
             }
           ]
         }
@@ -34,19 +38,6 @@
               "parseConstraints"
             ]
           }
-        ],
-        "custom_ranges": [
-          {
-            "type": "ECOSYSTEM",
-            "events": [
-              {
-                "introduced": "0"
-              },
-              {
-                "fixed": "0.45.0"
-              }
-            ]
-          }
         ]
       }
     }
diff --git a/data/reports/GO-2025-4134.yaml b/data/reports/GO-2025-4134.yaml
@@ -1,7 +1,7 @@
 id: GO-2025-4134
 modules:
     - module: golang.org/x/crypto
-      non_go_versions:
+      versions:
         - fixed: 0.45.0
       vulnerable_at: 0.44.0
       packages:
@@ -10,11 +10,13 @@ modules:
             - parseGSSAPIPayload
           derived_symbols:
             - NewServerConn
-summary: CVE-2025-58181 in golang.org/x/crypto/ssh
+summary: Unbounded memory consumption in golang.org/x/crypto/ssh
 description: |-
     SSH servers parsing GSSAPI authentication requests do not validate the number of
     mechanisms specified in the request, allowing an attacker to cause unbounded
     memory consumption.
+ghsas:
+    - GHSA-j5w8-q4qc-rx2x
 credits:
     - Jakub Ciolek
 references:
diff --git a/data/reports/GO-2025-4135.yaml b/data/reports/GO-2025-4135.yaml
@@ -1,7 +1,7 @@
 id: GO-2025-4135
 modules:
     - module: golang.org/x/crypto
-      non_go_versions:
+      versions:
         - fixed: 0.45.0
       vulnerable_at: 0.44.0
       packages:
@@ -11,11 +11,13 @@ modules:
           derived_symbols:
             - ForwardToAgent
             - ServeAgent
-summary: CVE-2025-47914 in golang.org/x/crypto/ssh/agent
+summary: Malformed constraint may cause denial of service in golang.org/x/crypto/ssh/agent
 description: |-
-    SSH Agent servers do not validate the size of messages when processing new
-    identity requests, which may cause the program to panic if the message is
-    malformed due to an out of bounds read.
+    SSH Agent servers do not validate the size of messages when processing
+    new identity requests, which may cause the program to panic if the
+    message is malformed due to an out of bounds read.
+ghsas:
+    - GHSA-f6x5-jh6r-wrfv
 credits:
     - Jakub Ciolek
 references:

Original file line number	Diff line number	Diff line change
`@@ -4,9 +4,10 @@`
`4`	`4`	`"modified": "0001-01-01T00:00:00Z",`
`5`	`5`	`"published": "0001-01-01T00:00:00Z",`
`6`	`6`	`"aliases": [`
`7`		`- "CVE-2025-58181"`
	`7`	`+ "CVE-2025-58181",`
	`8`	`+ "GHSA-j5w8-q4qc-rx2x"`
`8`	`9`	`],`
`9`		`- "summary": "CVE-2025-58181 in golang.org/x/crypto/ssh",`
	`10`	`+ "summary": "Unbounded memory consumption in golang.org/x/crypto/ssh",`
`10`	`11`	`"details": "SSH servers parsing GSSAPI authentication requests do not validate the number of mechanisms specified in the request, allowing an attacker to cause unbounded memory consumption.",`
`11`	`12`	`"affected": [`
`12`	`13`	`{`
`@@ -20,6 +21,9 @@`
`20`	`21`	`"events": [`
`21`	`22`	`{`
`22`	`23`	`"introduced": "0"`
	`24`	`+ },`
	`25`	`+ {`
	`26`	`+ "fixed": "0.45.0"`
`23`	`27`	`}`
`24`	`28`	`]`
`25`	`29`	`}`
`@@ -33,19 +37,6 @@`
`33`	`37`	`"parseGSSAPIPayload"`
`34`	`38`	`]`
`35`	`39`	`}`
`36`		`- ],`
`37`		`- "custom_ranges": [`
`38`		`- {`
`39`		`- "type": "ECOSYSTEM",`
`40`		`- "events": [`
`41`		`- {`
`42`		`- "introduced": "0"`
`43`		`- },`
`44`		`- {`
`45`		`- "fixed": "0.45.0"`
`46`		`- }`
`47`		`- ]`
`48`		`- }`
`49`	`40`	`]`
`50`	`41`	`}`
`51`	`42`	`}`