)]}'
{
  "commit": "6a37f45eddca654cbccc059e9eb720d1f874c284",
  "tree": "120552e9494f99bc0904cf82c122acdf298d7d49",
  "parents": [
    "4d43cbd816d5b3d8911e329595cf2622dea2a3a8"
  ],
  "author": {
    "name": "Neal Patel",
    "email": "nealpatel@google.com",
    "time": "Wed Nov 19 13:35:12 2025 -0500"
  },
  "committer": {
    "name": "Kevin Berry",
    "email": "kpberry@google.com",
    "time": "Tue Dec 09 22:13:31 2025 +0000"
  },
  "message": "ssh: curb GSSAPI DoS risk by limiting number of specified OIDs\n\nPreviously, an attacker could specify an integer up to 0xFFFFFFFF\nthat would directly allocate memory despite the observability of\nthe rest of the payload. This change places a hard cap on the\namount of mechanisms that can be specified and encoded in the\npayload. Additionally, it performs a small sanity check to deny\npayloads whose stated size is contradictory to the observed payload.\n\nThank you to Jakub Ciolek for reporting this issue.\n\nFixes CVE-2025-58181\nFixes golang/go#76363\n\nBUG\u003db/462704403\nTEST\u003dpresubmit\nRELEASE_NOTE\u003dNone\n\ncos-patch: bug\nReviewed-on: https://go-review.googlesource.com/c/crypto/+/721961\nAuto-Submit: Roland Shoemaker \u003croland@golang.org\u003e\nReviewed-by: Damien Neil \u003cdneil@google.com\u003e\nLUCI-TryBot-Result: Go LUCI \u003cgolang-scoped@luci-project-accounts.iam.gserviceaccount.com\u003e\nChange-Id: I0307ab3e906a3f2ae763b5f9f0310f7073f84485\n",
  "tree_diff": [
    {
      "type": "modify",
      "old_id": "24bd7c8e830484a6dcb73a1f4a446964419b2e28",
      "old_mode": 33188,
      "old_path": "vendor/golang.org/x/crypto/ssh/ssh_gss.go",
      "new_id": "a6249a1227b520ec7177b56fbd33c2c7ea302b47",
      "new_mode": 33188,
      "new_path": "vendor/golang.org/x/crypto/ssh/ssh_gss.go"
    }
  ]
}