Hello gophers, Version v0.0.0-20201216223049-8b5274cf687f of golang.org/x/crypto fixes a vulnerability in the golang.org/x/crypto/ssh package which allowed clients to cause a panic in SSH servers.
An attacker can craft an authentication request message for the “gssapi-with-mic” method which will cause NewServerConn to panic via a nil pointer dereference if ServerConfig.GSSAPIWithMICConfig is nil. This issue was discovered and reported by Joern Schneewesiz, GitLab Security Research Team, and is tracked as CVE-2020-29652. Cheers, Roland on behalf of the Go team -- You received this message because you are subscribed to the Google Groups "golang-nuts" group. To unsubscribe from this group and stop receiving emails from it, send an email to golang-nuts+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/golang-nuts/CADAOFNRy5%2BX198Gu8326E8WVCeW1WK6Y5O%3DY2AFZc4qgBSRSEA%40mail.gmail.com.
