[security] Vulnerability in golang.org/x/crypto/ssh

Filippo Valsorda

unread,

Feb 20, 2020, 1:41:18 PM2/20/20

to golan...@googlegroups.com

Hello gophers,

Version v0.0.0-20200220183623-bac4c82f6975 of golang.org/x/crypto fixes a vulnerability in the golang.org/x/crypto/ssh package which allowed peers to cause a panic in SSH servers that accept public keys and in any SSH client.

An attacker can craft an ssh-ed25519 or sk-ssh-...@openssh.com public key, such that the library will panic when trying to verify a signature with it. Clients can deliver such a public key and signature to any golang.org/x/crypto/ssh server with a PublicKeyCallback, and servers can deliver them to any golang.org/x/crypto/ssh client.

This issue was discovered and reported by Alex Gaynor, Fish in a Barrel, and is tracked as CVE-2020-9283.

Cheers,
Filippo for the Go team

Jakob Borg

unread,

Feb 22, 2020, 3:36:30 AM2/22/20

to golang-nuts

On 20 Feb 2020, at 19:40, Filippo Valsorda <fil...@golang.org> wrote:

Version v0.0.0-20200220183623-bac4c82f6975 of golang.org/x/crypto fixes a vulnerability

Am I the only one to think that this kind of versioning is not ideal for a module that's important (and stable) enough to require CVE:s and vulnerability announcements? Even something trivial like just linearly increasing the patch version (v0.0.47 etc) would be easier to deal with in go.mods and still communicate a lack of compatibility guarantee...

//jb

Manlio Perillo

unread,

Feb 22, 2020, 2:15:12 PM2/22/20

to golang-nuts

That will mean releasing a new version for every new commit.

Manlio

Reply all

Reply to author

Forward