[security] Vulnerability in golang.org/x/crypto/ssh

1,941 views

Skip to first unread message

Roland Shoemaker

unread,

Dec 16, 2020, 5:36:17 PM12/16/20

to golan...@googlegroups.com

Hello gophers,

Version v0.0.0-20201216223049-8b5274cf687f of golang.org/x/crypto fixes a vulnerability in the golang.org/x/crypto/ssh package which allowed clients to cause a panic in SSH servers.

An attacker can craft an authentication request message for the “gssapi-with-mic” method which will cause NewServerConn to panic via a nil pointer dereference if ServerConfig.GSSAPIWithMICConfig is nil.

This issue was discovered and reported by Joern Schneewesiz, GitLab Security Research Team, and is tracked as CVE-2020-29652.

Cheers,
Roland on behalf of the Go team

Reply all

Reply to author

Forward

0 new messages