c175fdb049
Update the vendored golang.org/x/crypto and golang.org/x/text
modules to the latest versions, which in turn updates the vendored
copy of the golang.org/x/net and golang.org/x/sys modules.
Updating these modules' entries in vendor/modules.txt and go.{mod,sum}
means we will not be flagged by security scanners regarding either
CVE-2021-38561 or CVE-2022-27191, neither of which should actually
affect Git LFS.
The Git LFS client should not be affected by CVE-2021-38561 as it
pertains the Go x/text/language package and specifically the BCP 47
tag functions, which Git LFS does not use.
The Git LFS client should not be affected by CVE-2022-27191 as it
pertains to the Go x/crypto/ssh package and specifically a crash
vulnerability in the SSH server functions, which Git LFS does not use.
The specific commands run to perform this update were:
go get golang.org/x/crypto@latest &&
go get golang.org/x/text@latest &&
go mod tidy && go mod vendor
|
||
|---|---|---|
| .. | ||
| github.com | ||
| golang.org/x | ||
| gopkg.in/yaml.v3 | ||
| modules.txt | ||