Update the vendored golang.org/x/crypto and golang.org/x/text
modules to the latest versions, which in turn updates the vendored
copy of the golang.org/x/net and golang.org/x/sys modules.
Updating these modules' entries in vendor/modules.txt and go.{mod,sum}
means we will not be flagged by security scanners regarding either
CVE-2021-38561 or CVE-2022-27191, neither of which should actually
affect Git LFS.
The Git LFS client should not be affected by CVE-2021-38561 as it
pertains the Go x/text/language package and specifically the BCP 47
tag functions, which Git LFS does not use.
The Git LFS client should not be affected by CVE-2022-27191 as it
pertains to the Go x/crypto/ssh package and specifically a crash
vulnerability in the SSH server functions, which Git LFS does not use.
The specific commands run to perform this update were:
go get golang.org/x/crypto@latest &&
go get golang.org/x/text@latest &&
go mod tidy && go mod vendor
Update x/text to v0.3.5 that fixes CVE-2020-28852.
The specific commands used for this update:
"go get golang.org/x/text@latest && go mod tidy && go mod vendor"
Update the vendored golang.org/x/net module to the latest
version, which in turn updates the vendored copy of the
golang.org/x/text module to 0.3.3. That version of x/text
includes a mitigation of CVE-2020-14040, which pertains to
processing UTF-16 data with a Byte Order Mark.
The Git LFS client should not be affected by that security
issue, since it does not open streams in UTF-16 mode, but
we update our modules to stay current with the upstream Go
sources and also to avoid being flagged by security scanners.
The specific commands run to perform this update were:
"go get golang.org/x/net@latest && go mod tidy && go mod vendor"
Vendor the `golang.org/x/net` dependency. This will be used in a
future commit to add HTTP/2 transport support.
Note that due to the way go modules work, the `golang.org/x/sys`
dependency was updated as well when running `make vendor`.
