blob: 9c9d9fd7b180c51c5cb5547d2a5035482cce0005 [file] [log] [blame]
packages:
- module: golang.org/x/crypto
package: golang.org/x/crypto/ssh
symbols:
- ServerConfig.AddHostKey
derived_symbols:
- ServerConfig.AddHostKey
versions:
- fixed: 0.0.0-20220314234659-1baeb1ce4c0b
description: |
Attackers can cause a crash in SSH servers when the server has been
configured by passing a Signer to ServerConfig.AddHostKey such that
1) the Signer passed to AddHostKey does not implement AlgorithmSigner, and
2) the Signer passed to AddHostKey returns a key of type “ssh-rsa” from its
PublicKey method.
Servers that only use Signer implementations provided by the ssh package are
unaffected.
cves:
- CVE-2022-27191
ghsas:
- GHSA-8c26-wmh5-6g9v
links:
pr: https://go.dev/cl/392355
commit: https://go.googlesource.com/crypto/+/1baeb1ce4c0b006eff0f294c47cb7617598dfb3d
context:
- https://groups.google.com/g/golang-announce
- https://groups.google.com/g/golang-announce/c/-cp44ypCT5s