Vulnerability in package has been fixed

Recently Joern Schneeweisz of GitLab Security Research Team discovered a bug in Go language crypto/ssh package.

The ability to trigger the gssapi-with-mic authentication method is not properly guarded when GSSAPIWithMICConfig field of the ServerConfig type is nil.

If this field is not set and a client sends a gssapi-with-mic request, regardless of if the server advertises it, the server will panic.

The Version v0.0.0-20201216223049-8b5274cf687f of fixes this vulnerability in the package.

Here is the complete details regarding the fix.

if config.GSSAPIWithMICConfig == nil {
				authErr = errors.New("ssh: gssapi-with-mic auth not configured")

With the above fix, the package will dissallow the request to call gssapi-with-mic if GSSAPIWithMICConfig is not set.


Arunkumar Gudelli

I am One among a million Software engineers of India. I write beautiful markup.I make the Web useful.

Follow us @ twitter, facebook and linkedin For latest news and articles about Go Language

☝ ✍ Go Language Tutorial ✍☝
Get a short & sweet Go Language tutorials delivered to your inbox every couple of days. No spam ever. Unsubscribe any time.