Upgrade golang.org/x/crypto from v0.38.0 to v0.48.0 to resolve
CVE-2025-47913 (GO-2025-4116), a denial-of-service vulnerability in
golang.org/x/crypto/ssh/agent where SSH clients receiving
SSH_AGENT_SUCCESS when expecting a typed response will panic and cause
early termination of the client process. The fix was introduced in
v0.43.0.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
## Summary
Update several moving parts of cloudflared build system:
* use goboring 1.24.2 in cfsetup
* update linter and fix lint issues
* update packages namely **quic-go and net**
* install script for macos
* update docker files to use go 1.24.1
* remove usage of cloudflare-go
* pin golang linter
Closes TUN-9016
## Summary
In order to make cloudflared behavior more predictable and
prevent an exhaustion of resources, we have decided to add
session limits that can be configured by the user. This first
commit introduces the session limiter and adds it to the UDP
handling path. For now the limiter is set to run only in
unlimited mode.
limkevin.chao
Luis Neto
João "Pisco" Fernandes
Devin Carr
Sudarsan Reddy
Michael Borkenstein
Areg Harutyunyan