Vulnerability in package has been fixed

Recently Joern Schneeweisz of GitLab Security Research Team discovered a bug in Go language crypto/ssh package.

The ability to trigger the gssapi-with-mic authentication method is not properly guarded when GSSAPIWithMICConfig field of the ServerConfig type is nil.

If this field is not set and a client sends a gssapi-with-mic request, regardless of if the server advertises it, the server will panic.

The Version v0.0.0-20201216223049-8b5274cf687f of fixes this vulnerability in the package.

Here is the complete details regarding the fix.

if config.GSSAPIWithMICConfig == nil {
				authErr = errors.New("ssh: gssapi-with-mic auth not configured")

With the above fix, the package will dissallow the request to call gssapi-with-mic if GSSAPIWithMICConfig is not set.