VULN UPGRADE: minor: golang.org/x/crypto · patch: github.com/sirupsen/logrus

[campaigner-prod]

Summary: Critical-severity security update — 2 packages upgraded (MINOR changes included)

Manifests changed:

• . (go)

Updates

Package	From	To	Type	Vulnerabilities Fixed
golang.org/x/crypto	v0.14.0	v0.46.0	minor	1 CRITICAL, 1 HIGH, 3 MODERATE, 6 UNKNOWN
github.com/sirupsen/logrus	v1.9.0	v1.9.3	patch	1 HIGH

---

Security Details

🚨 Critical & High Severity (3 fixed)

Package	CVE	Severity	Summary	Unsafe Version	Fixed In
golang.org/x/crypto	GHSA-v778-237x-gjrc	CRITICAL	Misuse of ServerConfig.PublicKeyCallback may cause authorization bypass in golang.org/x/crypto	v0.14.0	0.31.0
github.com/sirupsen/logrus	GHSA-4f99-4q7p-p3gh	HIGH	Logrus is vulnerable to DoS when using Entry.Writer()	v1.9.0	1.8.3
golang.org/x/crypto	GHSA-hcg3-q754-cr77	HIGH	golang.org/x/crypto Vulnerable to Denial of Service (DoS) via Slow or Incomplete Key Exchange	v0.14.0	0.35.0

ℹ️ Other Vulnerabilities (9)

Package	CVE	Severity	Summary	Unsafe Version	Fixed In
golang.org/x/crypto	GHSA-45x7-px36-x8w8	MODERATE	Prefix Truncation Attack against ChaCha20-Poly1305 and Encrypt-then-MAC aka Terrapin	v0.14.0	0.17.0
golang.org/x/crypto	GHSA-j5w8-q4qc-rx2x	MODERATE	golang.org/x/crypto/ssh allows an attacker to cause unbounded memory consumption	v0.14.0	0.45.0
golang.org/x/crypto	GHSA-f6x5-jh6r-wrfv	MODERATE	golang.org/x/crypto/ssh/agent vulnerable to panic if message is malformed due to out of bounds read	v0.14.0	0.45.0
golang.org/x/crypto	GO-2025-4135	unknown	Malformed constraint may cause denial of service in golang.org/x/crypto/ssh/agent	v0.14.0	0.45.0
golang.org/x/crypto	GO-2024-3321	unknown	Misuse of connection.serverAuthenticate may cause authorization bypass in golang.org/x/crypto	v0.14.0	0.31.0
golang.org/x/crypto	GO-2025-4134	unknown	Unbounded memory consumption in golang.org/x/crypto/ssh	v0.14.0	0.45.0
golang.org/x/crypto	GO-2025-4116	unknown	Potential denial of service in golang.org/x/crypto/ssh/agent	v0.14.0	0.43.0
golang.org/x/crypto	GO-2023-2402	unknown	Man-in-the-middle attacker can compromise integrity of secure channel in golang.org/x/crypto	v0.14.0	0.17.0
golang.org/x/crypto	GO-2025-3487	unknown	Potential denial of service in golang.org/x/crypto	v0.14.0	0.35.0

⚠️ Dependencies that have Reached EOL (1)

Dependency	Unsafe Version	EOL Date	New Version	Path
github.com/sirupsen/logrus	v1.9.0	Jul 19, 2025	v1.9.3	go.mod

---

Review Checklist

Enhanced review recommended for this update:

• Review changes for compatibility with your code
• Check release notes for breaking changes
• Run integration tests to verify service behavior
• Test in staging environment before production
• Monitor key metrics after deployment

---

Update Mode: Vulnerability Remediation (Critical/High)

🤖 Generated by DataDog Automated Dependency Management System

[dd-prapprover]

PRApprover will approve and merge this PR, FAQ, #dx-source-code-management

🛠️ PRApproval Status

🔗 Workflow Link

• ✅ PR is eligible for auto-approval by rule dependency-management-version-updater - 2026-01-20T21:24:06Z
• ⬜ CI tests passed
• ⬜ Approved
• ⬜ Merge Started
• ⬜ Merged

➡️ Current phase: CI tests failed, please fix and re-trigger