[security] Vulnerability in golang.org/x/crypto/ssh

1173 views
Skip to first unread message

Roland Shoemaker

unread,
Dec 16, 2020, 5:36:17 PM12/16/20
to golan...@googlegroups.com

Hello gophers,

Version v0.0.0-20201216223049-8b5274cf687f of golang.org/x/crypto fixes a vulnerability in the golang.org/x/crypto/ssh package which allowed clients to cause a panic in SSH servers.

An attacker can craft an authentication request message for the “gssapi-with-mic” method which will cause NewServerConn to panic via a nil pointer dereference if ServerConfig.GSSAPIWithMICConfig is nil.

This issue was discovered and reported by Joern Schneewesiz, GitLab Security Research Team, and is tracked as CVE-2020-29652.

Cheers,
Roland on behalf of the Go team

Reply all
Reply to author
Forward
0 new messages