Your submission was sent successfully! Close

You have successfully unsubscribed! Close

Thank you for signing up for our newsletter!Close

CVE-2020-9283

Published: 20 February 2020

golang.org/x/crypto before v0.0.0-20200220183623-bac4c82f6975 for Go allows a panic during signature verification in the golang.org/x/crypto/ssh package. A client can attack an SSH server that accepts public keys. Also, a server can attack any SSH client.

Notes

AuthorNote
jdstrand
snapd contains an embedded copy of golang-go.crypto
lxd in 18.04 LTS and earlier contains an embedded copy of
golang-go.crypto
mdeslaur
snapd and lxd only use the terminal sub-package, not the ssh
part of golang-go.crypto, so they are not vulnerable

Priority

Medium

Cvss 3 Severity Score

7.5

Score breakdown

Status

Package Release Status
golang-go.crypto
Launchpad, Ubuntu, Debian
trusty Does not exist

xenial Needed

eoan Ignored
(end of life)
groovy Not vulnerable
(1:0.0~git20200221.2aa609c-1)
impish Not vulnerable
(1:0.0~git20200221.2aa609c-1)
bionic Needed

hirsute Not vulnerable
(1:0.0~git20200221.2aa609c-1)
jammy Not vulnerable
(1:0.0~git20200221.2aa609c-1)
kinetic Not vulnerable
(1:0.0~git20200221.2aa609c-1)
focal Not vulnerable
(1:0.0~git20200221.2aa609c-1)
lunar Not vulnerable
(1:0.0~git20200221.2aa609c-1)
upstream Needs triage

mantic Not vulnerable
(1:0.0~git20200221.2aa609c-1)
Patches:
upstream: https://github.com/golang/crypto/commit/bac4c82f69751a6dd76e702d54b3ceb88adab236
lxd
Launchpad, Ubuntu, Debian
eoan Not vulnerable
(code-not-present)
groovy Not vulnerable
(code-not-present)
impish Not vulnerable
(code-not-present)
trusty Does not exist

xenial Not vulnerable

hirsute Not vulnerable
(code-not-present)
bionic Not vulnerable

focal Not vulnerable
(code-not-present)
upstream Needs triage

mongo-tools
Launchpad, Ubuntu, Debian
hirsute Does not exist

jammy Does not exist

kinetic Does not exist

bionic Needs triage

eoan Ignored
(end of life)
focal Needs triage

groovy Does not exist

impish Does not exist

lunar Does not exist

trusty Does not exist

upstream Needs triage

xenial Does not exist

mantic Does not exist

snapd
Launchpad, Ubuntu, Debian
hirsute Not vulnerable

jammy Not vulnerable

kinetic Not vulnerable

lunar Not vulnerable

trusty Does not exist

bionic Not vulnerable

eoan Not vulnerable

focal Not vulnerable

groovy Not vulnerable

impish Not vulnerable

upstream Needs triage

xenial Not vulnerable

mantic Not vulnerable

Severity score breakdown

Parameter Value
Base score 7.5
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Scope Unchanged
Confidentiality None
Integrity impact None
Availability impact High
Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H