reports/GO-2020-0013.yaml - vulndb - Git at Google

 packages:
   - module: golang.org/x/crypto
     package: golang.org/x/crypto/ssh
     symbols:
       - NewClientConn
     versions:
       - fixed: 0.0.0-20170330155735-e4e2799dd7aa
 description: |
     By default host key verification is disabled which allows for
     man-in-the-middle attacks against SSH clients if
     ClientConfig.HostKeyCallback is not set.
 published: 2021-04-14T20:04:52Z
 cves:
   - CVE-2017-3204
 credit: Phil Pennock
 links:
     pr: https://go.dev/cl/340830
     commit: https://go.googlesource.com/crypto/+/e4e2799dd7aab89f583e1d898300d96367750991
     context:
       - https://go.dev/issue/19767
       - https://bridge.grumpy-troll.org/2017/04/golang-ssh-security/
	packages:
	- module: golang.org/x/crypto
	package: golang.org/x/crypto/ssh
	symbols:
	- NewClientConn
	versions:
	- fixed: 0.0.0-20170330155735-e4e2799dd7aa
	description: \|
	By default host key verification is disabled which allows for
	man-in-the-middle attacks against SSH clients if
	ClientConfig.HostKeyCallback is not set.
	published: 2021-04-14T20:04:52Z
	cves:
	- CVE-2017-3204
	credit: Phil Pennock
	links:
	pr: https://go.dev/cl/340830
	commit: https://go.googlesource.com/crypto/+/e4e2799dd7aab89f583e1d898300d96367750991
	context:
	- https://go.dev/issue/19767
	- https://bridge.grumpy-troll.org/2017/04/golang-ssh-security/