Hello gophers,
Version v0.0.0-20201216223049-8b5274cf687f of golang.org/x/crypto fixes a vulnerability in the golang.org/x/crypto/ssh package which allowed clients to cause a panic in SSH servers.
An attacker can craft an authentication request message for the “gssapi-with-mic” method which will cause NewServerConn to panic via a nil pointer dereference if ServerConfig.GSSAPIWithMICConfig is nil.
This issue was discovered and reported by Joern Schneewesiz, GitLab Security Research Team, and is tracked as CVE-2020-29652.
Cheers,
Roland on behalf of the Go team