Blame - data/reports/GO-2020-0012.yaml - vulndb

blob: d91f3561f934b4dd5c0bc4fe3c0cf373f51059d0 [file] [log] [blame]

Damien Neil	b5cb765	2022-08-18 15:09:12 -0700	[diff] [blame]	1	modules:
Damien Neil	77344fd	2022-05-10 15:03:50 -0700	[diff] [blame]	2	- module: golang.org/x/crypto
Damien Neil	77344fd	2022-05-10 15:03:50 -0700	[diff] [blame]	3	versions:
Damien Neil	df2d3d3	2022-05-12 16:02:17 -0700	[diff] [blame]	4	- fixed: 0.0.0-20200220183623-bac4c82f6975
Damien Neil	b5cb765	2022-08-18 15:09:12 -0700	[diff] [blame]	5	packages:
				6	- package: golang.org/x/crypto/ssh
				7	symbols:
				8	- parseED25519
				9	- ed25519PublicKey.Verify
				10	- parseSKEd25519
				11	- skEd25519PublicKey.Verify
				12	- NewPublicKey
Roland Shoemaker	a3a17c9	2021-04-14 12:59:24 -0700	[diff] [blame]	13	description: \|
Jonathan Amsterdam	2552b96	2022-02-02 12:53:36 -0500	[diff] [blame]	14	An attacker can craft an ssh-ed25519 or sk-ssh-ed25519@openssh.com public
				15	key, such that the library will panic when trying to verify a signature
				16	with it. If verifying signatures using user supplied public keys, this
				17	may be used as a denial of service vector.
Jonathan Amsterdam	49ef614	2022-02-10 08:53:15 -0500	[diff] [blame]	18	published: 2021-04-14T20:04:52Z
Julie Qiu	3008f8a	2022-01-04 15:37:42 -0500	[diff] [blame]	19	cves:
				20	- CVE-2020-9283
Jonathan Amsterdam	1a19dd1	2022-03-01 10:04:31 -0500	[diff] [blame]	21	ghsas:
				22	- GHSA-ffhg-7mh4-33c4
Roland Shoemaker	a3a17c9	2021-04-14 12:59:24 -0700	[diff] [blame]	23	credit: Alex Gaynor, Fish in a Barrel
Damien Neil	00e94d7	2022-08-26 14:59:35 -0700	[diff] [blame^]	24	references:
				25	- fix: https://go.dev/cl/220357
				26	- fix: https://go.googlesource.com/crypto/+/bac4c82f69751a6dd76e702d54b3ceb88adab236
				27	- web: https://groups.google.com/g/golang-announce/c/3L45YRc91SY