Skip to content

Upgrade goxmldsig to v1.6.0 to fix CVE-2026-33487#662

Open
kmansou wants to merge 19 commits intocrewjam:mainfrom
retailnext:fix/dependabot-4-goxmldsig-upgrade
Open

Upgrade goxmldsig to v1.6.0 to fix CVE-2026-33487#662
kmansou wants to merge 19 commits intocrewjam:mainfrom
retailnext:fix/dependabot-4-goxmldsig-upgrade

Conversation

@kmansou
Copy link
Copy Markdown

@kmansou kmansou commented Mar 25, 2026

Summary

  • Upgrades github.com/russellhaering/goxmldsig from v1.5.0 to v1.6.0 to fix GHSA-479m-364c-43vc (CVE-2026-33487)
  • Also upgrades github.com/beevik/etree from v1.5.0 to v1.6.0 (required by goxmldsig v1.6.0)

Vulnerability: Loop variable capture in validateSignature in goxmldsig allows an attacker to bypass XML signature integrity checks by substituting content from another referenced element.

Fixes: https://github.com/retailnext/saml/security/dependabot/4

Test plan

  • All existing tests pass (go test ./...)

🤖 Generated with Claude Code

dependabot bot and others added 19 commits January 15, 2026 05:21
@dependabot
Bump golang.org/x/crypto from 0.33.0 to 0.45.0
86c67e9 
Bumps [golang.org/x/crypto](https://github.com/golang/crypto) from 0.33.0 to 0.45.0.
- [Commits](golang/crypto@v0.33.0...v0.45.0)

---
updated-dependencies:
- dependency-name: golang.org/x/crypto
  dependency-version: 0.45.0
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
@dineshudayakumar
Merge pull request #1 from retailnext/dependabot/go_modules/golang.or…
827fdd2 
…g/x/crypto-0.45.0

Bump golang.org/x/crypto from 0.33.0 to 0.45.0
@dependabot
Bump github.com/golang-jwt/jwt/v5 from 5.2.2 to 5.3.0
52b35ff 
Bumps [github.com/golang-jwt/jwt/v5](https://github.com/golang-jwt/jwt) from 5.2.2 to 5.3.0.
- [Release notes](https://github.com/golang-jwt/jwt/releases)
- [Commits](golang-jwt/jwt@v5.2.2...v5.3.0)

---
updated-dependencies:
- dependency-name: github.com/golang-jwt/jwt/v5
  dependency-version: 5.3.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot
Bump github.com/russellhaering/goxmldsig from 1.4.0 to 1.5.0
fe4d2f7 
Bumps [github.com/russellhaering/goxmldsig](https://github.com/russellhaering/goxmldsig) from 1.4.0 to 1.5.0.
- [Release notes](https://github.com/russellhaering/goxmldsig/releases)
- [Commits](russellhaering/goxmldsig@v1.4.0...v1.5.0)

---
updated-dependencies:
- dependency-name: github.com/russellhaering/goxmldsig
  dependency-version: 1.5.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
@dineshudayakumar
Merge pull request #4 from retailnext/dependabot/go_modules/github.co…
635141c 
…m/russellhaering/goxmldsig-1.5.0

Bump github.com/russellhaering/goxmldsig from 1.4.0 to 1.5.0
@dineshudayakumar
Merge pull request #3 from retailnext/dependabot/go_modules/github.co…
5439ad7 
…m/golang-jwt/jwt/v5-5.3.0

Bump github.com/golang-jwt/jwt/v5 from 5.2.2 to 5.3.0
@dependabot
Bump golang.org/x/crypto from 0.45.0 to 0.47.0
b28c88c 
Bumps [golang.org/x/crypto](https://github.com/golang/crypto) from 0.45.0 to 0.47.0.
- [Commits](golang/crypto@v0.45.0...v0.47.0)

---
updated-dependencies:
- dependency-name: golang.org/x/crypto
  dependency-version: 0.47.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
@dineshudayakumar
Use flexible error assertions in XSW tests
3167922
@dineshudayakumar
Merge pull request #2 from retailnext/dependabot/go_modules/golang.or…
4bc7ace 
…g/x/crypto-0.47.0

Bump golang.org/x/crypto from 0.45.0 to 0.47.0
@dependabot
Bump github.com/golang-jwt/jwt/v5 from 5.3.0 to 5.3.1
24988d6 
Bumps [github.com/golang-jwt/jwt/v5](https://github.com/golang-jwt/jwt) from 5.3.0 to 5.3.1.
- [Release notes](https://github.com/golang-jwt/jwt/releases)
- [Commits](golang-jwt/jwt@v5.3.0...v5.3.1)

---
updated-dependencies:
- dependency-name: github.com/golang-jwt/jwt/v5
  dependency-version: 5.3.1
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
@dineshudayakumar
Merge pull request #7 from retailnext/dependabot/go_modules/github.co…
e839d2c 
…m/golang-jwt/jwt/v5-5.3.1

Bump github.com/golang-jwt/jwt/v5 from 5.3.0 to 5.3.1
@dependabot
Bump golang.org/x/crypto from 0.47.0 to 0.48.0
7bc22c8 
Bumps [golang.org/x/crypto](https://github.com/golang/crypto) from 0.47.0 to 0.48.0.
- [Commits](golang/crypto@v0.47.0...v0.48.0)

---
updated-dependencies:
- dependency-name: golang.org/x/crypto
  dependency-version: 0.48.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
@dineshudayakumar
Merge pull request #8 from retailnext/dependabot/go_modules/golang.or…
744174f 
…g/x/crypto-0.48.0

Bump golang.org/x/crypto from 0.47.0 to 0.48.0
@dineshudayakumar
Pin lint CI Go version to go.mod
06ae334 
Using `go-version: stable` resolved to Go 1.26, but go.mod declares
go 1.24.0. golangci-lint was picking up a file from the Go 1.26
toolchain's own vendor directory:

  golang.org/x/crypto/chacha20poly1305/fips140only_go1.26.go

This file has a `//go:build go1.26` constraint, which causes a typecheck
failure when the module is built with go 1.24. That failure cascades
into false-positive errors across the codebase.

Switching to `go-version-file: go.mod` pins CI to the Go version
declared in go.mod, ensuring toolchain and module version stay in sync.
@dineshudayakumar
Add crypto.Signer support for KMS/HSM
91213ee 
Check public key type instead of private key type to support
crypto.Signer implementations (e.g. GCP KMS, AWS KMS, HSM)
that aren't concrete *rsa.PrivateKey or *ecdsa.PrivateKey types.

Supports RSA (RS256/RS384/RS512), RSA-PSS (PS256/PS384/PS512),
ECDSA (ES256/ES384/ES512), and EdDSA signing methods via
crypto.Signer for JWT session and tracked request signing.
@dineshudayakumar
Merge pull request #6 from retailnext/crypto-signer-support
2e8c011 
Add crypto.Signer support for KMS/HSM keys
@dineshudayakumar
Add SHA-1 fingerprint support
fc45bf6 
We need this as our ruby saml lib was supporting SHA1 fingerprint and
when we migrate from ruby to golang we need this until all sub is fully
migrated to golang saml sso and configured a metadata_url
@dineshudayakumar
Merge pull request #10 from retailnext/add-sha1-fingerprint
c9a89a5 
Add SHA-1 fingerprint support
@kmansou @claude
Upgrade goxmldsig to v1.6.0 to fix CVE-2026-33487
e3dcd35 
Fixes GHSA-479m-64c4-43vc: loop variable capture in validateSignature
allows signature bypass. Also upgrades beevik/etree to v1.6.0 as
required by goxmldsig v1.6.0.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@kmansou kmansou requested a review from crewjam as a code owner March 25, 2026 13:40
@GharibDamicheOBS
Copy link
Copy Markdown

GharibDamicheOBS commented Mar 27, 2026

+1, we're waiting for this update

@john-floren-gravwell
Copy link
Copy Markdown

john-floren-gravwell commented Mar 27, 2026

We need the bump too but what's all this other code going in as well?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@crewjam crewjam Awaiting requested review from crewjam crewjam is a code owner

1 more reviewer

@GharibDamicheOBS GharibDamicheOBS GharibDamicheOBS approved these changes

Reviewers whose approvals may not affect merge requirements

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@kmansou @GharibDamicheOBS @john-floren-gravwell @dineshudayakumar