---

CVE-2020-9283 - log back

CVE-2020-9283 edited at 06 Mar 2020 09:15:45
References	https://github.com/golang/crypto/commit/bac4c82f69751a6dd76e702d54b3ceb88adab236 https://groups.google.com/forum/#!topic/golang-announce/3L45YRc91SY + https://packetstormsecurity.com/files/156480/Go-SSH-0.0.2-Denial-Of-Service.html

CVE-2020-9283 edited at 06 Mar 2020 09:15:21
Description	- An attacker can craft an ssh-ed25519 or sk-ssh-ed25519@openssh.com public key, such that the library will panic when trying to verify a signature with it. Clients can deliver such a public key and signature to any golang.org/x/crypto/ssh server with a PublicKeyCallback, and servers can deliver them to any golang.org/x/crypto/ssh client. + A security issue has been found in golang.org/x/crypto before v0.0.0-20200220183623-bac4c82f6975. An attacker can craft an ssh-ed25519 or sk-ssh-ed25519@openssh.com public key, such that the library will panic when trying to verify a signature with it. Clients can deliver such a public key and signature to any golang.org/x/crypto/ssh server with a PublicKeyCallback, and servers can deliver them to any golang.org/x/crypto/ssh client.
References	+ https://github.com/golang/crypto/commit/bac4c82f69751a6dd76e702d54b3ceb88adab236 + https://groups.google.com/forum/#!topic/golang-announce/3L45YRc91SY

CVE-2020-9283 edited at 06 Mar 2020 00:30:23
Severity	- Unknown + Medium
Remote	- Unknown + Remote
Type	- Unknown + Denial of service
Description	+ An attacker can craft an ssh-ed25519 or sk-ssh-ed25519@openssh.com public key, such that the library will panic when trying to verify a signature with it. Clients can deliver such a public key and signature to any golang.org/x/crypto/ssh server with a PublicKeyCallback, and servers can deliver them to any golang.org/x/crypto/ssh client.
References
Notes

CVE-2020-9283 created at 06 Mar 2020 00:29:44