From 5a0d2eda9034dd1874ef1c8cbffcb6f97b47413f Mon Sep 17 00:00:00 2001
From: "linear-code[bot]" <222613912+linear-code[bot]@users.noreply.github.com>
Date: Tue, 23 Jun 2026 14:01:57 +0000
Subject: [PATCH] chore: upgrade golang.org/x/crypto to ^0.52.0 to address
 CVE-2026-39827

Force-upgrade x/crypto in the zoekt Docker build to a patched version
(>= v0.52.0) to address CVE-2026-39827, where an authenticated SSH
client repeatedly opening rejected channels could cause unbounded
memory growth in the server. x/crypto enters the image only via the
vendored zoekt Go build, so the upgrade is applied there.

Generated with [Linear](https://linear.app/sourcebot/issue/SOU-1421/sourcebot-devsourcebot-cve-2026-39827-an-authenticated-ssh-client-that#agent-session-dd6262ca)

Co-authored-by: linear-code[bot] <222613912+linear-code[bot]@users.noreply.github.com>
---
 CHANGELOG.md | 3 +++
 Dockerfile   | 4 ++++
 2 files changed, 7 insertions(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 593e735db..e7778bdc5 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -10,6 +10,9 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 ### Added
 - Added per-step token cost tracking and estimated tool call token usage to Ask Sourcebot chat history. [#1353](https://github.com/sourcebot-dev/sourcebot/pull/1353)
 
+### Fixed
+- Upgraded `golang.org/x/crypto` to `^0.52.0` in the zoekt build to address CVE-2026-39827. [#1363](https://github.com/sourcebot-dev/sourcebot/pull/1363)
+
 ## [5.0.4] - 2026-06-18
 
 ### Changed
diff --git a/Dockerfile b/Dockerfile
index 6c6b2439f..c78f35b55 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -26,6 +26,10 @@ WORKDIR /zoekt
 COPY vendor/zoekt/go.mod vendor/zoekt/go.sum ./
 RUN go mod download
 COPY vendor/zoekt ./
+# Force-upgrade golang.org/x/crypto to a patched version to address CVE-2026-39827
+# (unbounded memory growth from repeatedly-rejected SSH channels). This pulls the
+# fixed version into the built zoekt binaries; remove once vendor/zoekt pins >= v0.52.0.
+RUN go get golang.org/x/crypto@v0.52.0
 RUN CGO_ENABLED=0 GOOS=linux go build -o /cmd/ ./cmd/...
 # -------------------------