Fluid Attacks Database

Description

Improper Verification of Cryptographic Signature in golang.org/x/crypto golang.org/x/crypto before v0.0.0-20200220183623-bac4c82f6975 for Go allows a panic during signature verification in the golang.org/x/crypto/ssh package. A client can attack an SSH server that accepts public keys. Also, a server can attack any SSH client.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
go	golang.org/x/crypto	>=0 <0.0.0-20200220183623-bac4c82f6975	0.0.0-20200220183623-bac4c82f6975
debian 14	golang-go.crypto	>=0 <1:0.0~git20200221.2aa609c-1	1:0.0~git20200221.2aa609c-1
debian 13	golang-go.crypto	>=0 <1:0.0~git20200221.2aa609c-1	1:0.0~git20200221.2aa609c-1
debian 11	golang-go.crypto	>=0 <1:0.0~git20200221.2aa609c-1	1:0.0~git20200221.2aa609c-1
debian 12	golang-go.crypto	>=0 <1:0.0~git20200221.2aa609c-1	1:0.0~git20200221.2aa609c-1

Aliases

1. CVE-2020-92832. NVD-2020-92833. OSV-2020-92834. OSV-DEBIAN-2020-92835. GCVE-2020-92836. lists.debian.org7. lists.debian.org8. lists.debian.org9. SECURITY-TRACKER-CVE-2020-9283

References

1. https://github.com/golang/crypto/commit/bac4c82f69751a6dd76e702d54b3ceb88adab2362. https://go.dev/cl/2203573. https://go.googlesource.com/crypto/+/bac4c82f69751a6dd76e702d54b3ceb88adab2364. https://groups.google.com/forum/#!topic/golang-announce/3L45YRc91SY5. https://groups.google.com/g/golang-announce/c/3L45YRc91SY6. https://pkg.go.dev/vuln/GO-2020-00127. https://www.exploit-db.com/exploits/481218. http://packetstormsecurity.com/files/156480/Go-SSH-0.0.2-Denial-Of-Service.html9. https://github.com/brompwnie/CVE-2020-9283