blob: 878b9ffa9bb06150d144120e70d52f2370c36e65 [file] [log] [blame]
module: golang.org/x/crypto
package: golang.org/x/crypto/ssh
versions:
- fixed: v0.0.0-20170330155735-e4e2799dd7aa
description: |
By default host key verification is disabled which allows for
man-in-the-middle attacks against SSH clients if
[`ClientConfig.HostKeyCallback`] is not set.
published: 2021-04-14T12:00:00Z
cve: CVE-2017-3204
credit: Phil Pennock
symbols:
- NewClientConn
links:
pr: https://go-review.googlesource.com/38701
commit: https://github.com/golang/crypto/commit/e4e2799dd7aab89f583e1d898300d96367750991
context:
- https://github.com/golang/go/issues/19767
- https://bridge.grumpy-troll.org/2017/04/golang-ssh-security/