data/reports: add vulnerable_at to GO-2020-0012.yaml
Aliases: CVE-2020-9283, GHSA-ffhg-7mh4-33c4
Updates golang/vulndb#12
Change-Id: If1f8408a816b0a4e7fcfea6c5c5dcc64c8d8bc9b
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/462080
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Tatiana Bradley <tatiana@golang.org>
Reviewed-by: Damien Neil <dneil@google.com>
Run-TryBot: Tatiana Bradley <tatiana@golang.org>
diff --git a/data/osv/GO-2020-0012.json b/data/osv/GO-2020-0012.json
index 3dfeb24..9712168 100644
--- a/data/osv/GO-2020-0012.json
+++ b/data/osv/GO-2020-0012.json
@@ -34,7 +34,23 @@
{
"path": "golang.org/x/crypto/ssh",
"symbols": [
+ "CertChecker.Authenticate",
+ "CertChecker.CheckCert",
+ "CertChecker.CheckHostKey",
+ "Certificate.Verify",
+ "Dial",
+ "NewClientConn",
"NewPublicKey",
+ "NewServerConn",
+ "NewSignerFromKey",
+ "NewSignerFromSigner",
+ "ParseAuthorizedKey",
+ "ParseKnownHosts",
+ "ParsePrivateKey",
+ "ParsePrivateKeyWithPassphrase",
+ "ParsePublicKey",
+ "ParseRawPrivateKey",
+ "ParseRawPrivateKeyWithPassphrase",
"ed25519PublicKey.Verify",
"parseED25519",
"parseSKEd25519",
diff --git a/data/reports/GO-2020-0012.yaml b/data/reports/GO-2020-0012.yaml
index d91f356..7723883 100644
--- a/data/reports/GO-2020-0012.yaml
+++ b/data/reports/GO-2020-0012.yaml
@@ -2,6 +2,7 @@
- module: golang.org/x/crypto
versions:
- fixed: 0.0.0-20200220183623-bac4c82f6975
+ vulnerable_at: 0.0.0-20200219234226-1ad67e1f0ef4
packages:
- package: golang.org/x/crypto/ssh
symbols:
@@ -10,6 +11,23 @@
- parseSKEd25519
- skEd25519PublicKey.Verify
- NewPublicKey
+ derived_symbols:
+ - CertChecker.Authenticate
+ - CertChecker.CheckCert
+ - CertChecker.CheckHostKey
+ - Certificate.Verify
+ - Dial
+ - NewClientConn
+ - NewServerConn
+ - NewSignerFromKey
+ - NewSignerFromSigner
+ - ParseAuthorizedKey
+ - ParseKnownHosts
+ - ParsePrivateKey
+ - ParsePrivateKeyWithPassphrase
+ - ParsePublicKey
+ - ParseRawPrivateKey
+ - ParseRawPrivateKeyWithPassphrase
description: |
An attacker can craft an ssh-ed25519 or sk-ssh-ed25519@openssh.com public
key, such that the library will panic when trying to verify a signature