---

CVE-2021-43565 - log back

CVE-2021-43565 edited at 02 Dec 2021 19:55:31
Severity	- Unknown + Medium
Remote	- Unknown + Remote
Type	- Unknown + Denial of service
Description	+ Version v0.0.0-20211202192323-5770296d904e of golang.org/x/crypto fixes a vulnerability in the golang.org/x/crypto/ssh package which allowed unauthenticated clients to cause a panic in SSH servers. When using AES-GCM or ChaCha20Poly1305, consuming a malformed packet which contains empty plaintext causes a panic, due to the assumption that there will always be at least one byte, containing the number of padding bytes.
References	+ https://groups.google.com/g/golang-announce/c/2AR1sKiM-Qs/m/9LAF9FxvBwAJ + https://github.com/golang/go/issues/49932 + https://go-review.googlesource.com/c/crypto/+/368814/ + https://github.com/golang/crypto/commit/5770296d904e90f15f38f77dfc2e43fdf5efc083

CVE-2021-43565 created at 02 Dec 2021 19:53:52
Severity	+ Unknown
Remote	+ Unknown
Type	+ Unknown
Description
References
Notes