crypto 0.21.0 in git-lfs 3.6.0

[daipok]

Describe the issue
We noticed this is already done:
4e2d7b0

Mainly concerning about CVE-2024-45337

What is the possible timeline of another release?

Currently we are still on 3.5.1 thinking of upgrading to 3.6.0 but getting another vulnerability issue so we are evaluating

System environment
Rocky8

Output of git lfs env
The output of running git lfs env as a code block.
`
git-lfs/3.5.1 (GitHub; linux amd64; go 1.21.7; git e237bb3)
git version 2.43.5

LocalWorkingDir=
LocalGitDir=
LocalGitStorageDir=
LocalMediaDir=lfs/objects
LocalReferenceDirs=
TempDir=lfs/tmp
ConcurrentTransfers=8
TusTransfers=false
BasicTransfersOnly=false
SkipDownloadErrors=false
FetchRecentAlways=false
FetchRecentRefsDays=7
FetchRecentCommitsDays=0
FetchRecentRefsIncludeRemotes=true
PruneOffsetDays=3
PruneVerifyRemoteAlways=false
PruneVerifyUnreachableAlways=false
PruneRemoteName=origin
LfsStorageDir=lfs
AccessDownload=none
AccessUpload=none
DownloadTransfers=basic,lfs-standalone-file,ssh
UploadTransfers=basic,lfs-standalone-file,ssh
GIT_EXEC_PATH=/usr/libexec/git-core
git config filter.lfs.process = ""
git config filter.lfs.smudge = ""
git config filter.lfs.clean = ""
`

Additional context
Any other relevant context about the problem here.

[chrisd8088]

As noted in #5935 (review), the vulnerability addressed by the update to the x/crypto Go module in v0.31.0, reported as CVE-2024-45337, only pertains to the x/crypto/ssh package's ServerConfig type, which the Git LFS client does not use.

The Git LFS client never acts as an SSH server, so there is no immediate necessity for us to upgrade the module and release a new version of Git LFS.

While some of the Go packages we use indirectly import packages from the x/crypto module, none of them are the x/crypto/ssh package. We can confirm this is the case by running go list -json all | grep x/crypto/ssh, which returns no output.

Nevertheless, we might as well upgrade the module, so that when we do release v3.7.0 of the Git LFS client, security scanners will not generate false positive reports about the version of the x/crypto module we use.

For reference, the details of the vulnerability and its partial mitigation are described in golang/go#70779 and also in the release announcements for version 0.31.0 of the x/crypto module.

What is the possible timeline of another release?

Our hope is that we'll release several minor versions of Git LFS in 2025, rather than just the two we managed in 2024. If we're able to do that, I would expect we might release v3.7.0 sometime in the first half of 2025.

[jamison-lahman-ai]

Are we still expecting a v3.7.0 release this quarter? Thanks

[chrisd8088]

Are we still expecting a v3.7.0 release this quarter?

Yes, we'd like to make a v3.7.0 release in the next few months. Unfortunately an April release is unlikely due to a confluence of $DAYJOB and other responsibilities, and we remain short-handed in our core team, so we have a number of PRs we'd like to merge that are pending review and further work to make them complete.

[jamison-lahman-ai]

Sounds reasonable. Thanks. If there's something a new contributor can do to help, let me know.

[chrisd8088]

We've released v3.7.0 today, which is built with v0.36.0 of the x/crypto module, so I'm going to close this issue now.