CVE-2017-3204
Published: 4 April 2017
The Go SSH library (x/crypto/ssh) by default does not verify host keys, facilitating man-in-the-middle attacks. Default behavior changed in commit e4e2799 to require explicitly registering a hostkey verification mechanism.
Notes
| Author | Note |
|---|---|
| jdstrand | ubuntu-snappy and snapd contain embedded copies of golang-go.crypto |
| tyhicks | snapd doesn't use this particular part of golang-go.crypto as it doesn't act as a SSH client |
Priority
Status
| Package | Release | Status |
|---|---|---|
|
golang-go.crypto Launchpad, Ubuntu, Debian |
artful |
Ignored
(end of life)
|
| cosmic |
Not vulnerable
(1:0.0~git20180614.a8fb68e-1)
|
|
| precise |
Does not exist
|
|
| trusty |
Does not exist
|
|
| xenial |
Needed
|
|
| yakkety |
Ignored
(end of life)
|
|
| zesty |
Ignored
(end of life)
|
|
| disco |
Not vulnerable
(1:0.0~git20180614.a8fb68e-1)
|
|
| eoan |
Not vulnerable
(1:0.0~git20180614.a8fb68e-1)
|
|
| groovy |
Not vulnerable
(1:0.0~git20180614.a8fb68e-1)
|
|
| impish |
Not vulnerable
(1:0.0~git20180614.a8fb68e-1)
|
|
| hirsute |
Not vulnerable
(1:0.0~git20180614.a8fb68e-1)
|
|
| jammy |
Not vulnerable
(1:0.0~git20180614.a8fb68e-1)
|
|
| kinetic |
Not vulnerable
(1:0.0~git20180614.a8fb68e-1)
|
|
| lunar |
Not vulnerable
(1:0.0~git20180614.a8fb68e-1)
|
|
| bionic |
Not vulnerable
(1:0.0~git20170629.0.5ef0053-2)
|
|
| focal |
Not vulnerable
(1:0.0~git20180614.a8fb68e-1)
|
|
| upstream |
Released
(1:0.0~git20170407.0.55a552f+REALLY.0.0~git20161012.0.5f31782-1)
|
|
| mantic |
Not vulnerable
(1:0.0~git20180614.a8fb68e-1)
|
|
|
Patches: upstream: https://github.com/golang/crypto/commit/e4e2799dd7aab89f583e1d898300d96367750991 |
||
|
ubuntu-snappy Launchpad, Ubuntu, Debian |
precise |
Does not exist
|
| trusty |
Does not exist
|
|
| artful |
Does not exist
|
|
| cosmic |
Does not exist
|
|
| disco |
Does not exist
|
|
| eoan |
Does not exist
|
|
| groovy |
Does not exist
|
|
| xenial |
Does not exist
|
|
| yakkety |
Does not exist
|
|
| zesty |
Does not exist
|
|
| impish |
Does not exist
|
|
| hirsute |
Does not exist
|
|
| jammy |
Does not exist
|
|
| kinetic |
Does not exist
|
|
| lunar |
Does not exist
|
|
| bionic |
Does not exist
|
|
| focal |
Does not exist
|
|
| upstream |
Needs triage
|
|
| mantic |
Does not exist
|
|
|
snapd Launchpad, Ubuntu, Debian |
precise |
Does not exist
|
| trusty |
Does not exist
(trusty was ignored [code not used])
|
|
| xenial |
Ignored
(code not used)
|
|
| yakkety |
Ignored
(end of life)
|
|
| zesty |
Ignored
(end of life)
|
|
| artful |
Ignored
(end of life)
|
|
| cosmic |
Ignored
(end of life)
|
|
| disco |
Ignored
(end of life)
|
|
| eoan |
Ignored
(end of life)
|
|
| groovy |
Ignored
(end of life)
|
|
| impish |
Ignored
(end of life)
|
|
| hirsute |
Ignored
(end of life)
|
|
| jammy |
Ignored
(code not used)
|
|
| kinetic |
Ignored
(end of life, was ignored [code not used])
|
|
| lunar |
Ignored
(code not used)
|
|
| bionic |
Ignored
(code not used)
|
|
| focal |
Ignored
(code not used)
|
|
| upstream |
Needs triage
|
|
| mantic |
Ignored
(code not used)
|
|
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score | 8.1 |
| Attack vector | Network |
| Attack complexity | High |
| Privileges required | None |
| User interaction | None |
| Scope | Unchanged |
| Confidentiality | High |
| Integrity impact | High |
| Availability impact | High |
| Vector | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H |