blob: 1f8e0be543b213f00593b3b2e3de6c8955d2105c [file] [log] [blame]
packages:
- module: golang.org/x/crypto
package: golang.org/x/crypto/ssh
symbols:
- NewClientConn
versions:
- fixed: 0.0.0-20170330155735-e4e2799dd7aa
description: |
By default host key verification is disabled which allows for
man-in-the-middle attacks against SSH clients if
ClientConfig.HostKeyCallback is not set.
published: 2021-04-14T20:04:52Z
cves:
- CVE-2017-3204
credit: Phil Pennock
links:
pr: https://go.dev/cl/340830
commit: https://go.googlesource.com/crypto/+/e4e2799dd7aab89f583e1d898300d96367750991
context:
- https://go.dev/issue/19767
- https://bridge.grumpy-troll.org/2017/04/golang-ssh-security/