commit 42690195e7a88057467ef77518e228530e61991d
author Damien Neil <dneil@google.com> Mon Jan 10 17:12:05 2022 -0800
committer Damien Neil <dneil@google.com> Thu Feb 17 17:35:32 2022 +0000
tree a5e55825759ae2482f0db37c1edda4c3134ef386
parent dc575d67a0f317ca1ccc6f8186faf6a7707ed03e

reports: add GO-2021-0227.yaml for CVE-2020-29652

Fixes golang/vulndb#227

Change-Id: I32faddb1932501ffb7dd4444e7e2f192052c3042
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/377580
Trust: Damien Neil <dneil@google.com>
Run-TryBot: Damien Neil <dneil@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Roland Shoemaker <roland@golang.org>

reports/GO-2021-0227.yaml

diff --git a/reports/GO-2021-0227.yaml b/reports/GO-2021-0227.yaml
new file mode 100644
index 0000000..5a61ed9
--- /dev/null
+++ b/reports/GO-2021-0227.yaml
@@ -0,0 +1,19 @@
+module: golang.org/x/crypto
+package: golang.org/x/crypto/ssh
+versions:
+- fixed: v0.0.0-20201216223049-8b5274cf687f
+description: |
+  Clients can cause a panic in SSH servers. An attacker can craft
+  an authentication request message for the “gssapi-with-mic” method
+  which will cause NewServerConn to panic via a nil pointer dereference
+  if ServerConfig.GSSAPIWithMICConfig is nil.
+cves:
+- CVE-2020-29652
+credit: 'Joern Schneewesiz, GitLab Security Research Team'
+symbols:
+- connection.serverAuthenticate
+links:
+  pr: https://go-review.googlesource.com/c/crypto/+/278852
+  commit: https://go.googlesource.com/crypto/+/8b5274cf687fd9316b4108863654cc57385531e8
+  context:
+  - https://groups.google.com/g/golang-announce/c/ouZIlBimOsE?pli=1