75 matches found
golang.org/x/crypto/ssh: golang: golang.org/x/crypto/ssh: Denial of Service via crafted SSH certificate
A flaw was found in golang.org/x/crypto/ssh. SSH servers configured to use CertChecker as a public key callback, without explicitly setting IsUserAuthority or IsHostAuthority, are vulnerable. A remote attacker can exploit this by presenting a specially crafted certificate, causing the server to...
Invoking client can cause server deadlock on unexpected responses in golang.org/x/crypto/ssh
...
SUSE-SU-2025:1037-1 Security update for podman
This update for podman fixes the following issues: - CVE-2025-22869: Fixed Denial of Service in the Key Exchange of golang.org/x/crypto/ssh bsc1239330...
golang.org/x/crypto/ssh: Denial of Service in the Key Exchange of golang.org/x/crypto/ssh
A flaw was found in the golang.org/x/crypto/ssh package. SSH clients and servers are vulnerable to increased resource consumption, possibly leading to memory exhaustion and a DoS. This can occur during key exchange when the other party is slow to respond during key exchange...
Potential denial of service in golang.org/x/crypto
...
Security Bulletin: IBM Observability with Instana is vulnerable to Authorization bypass in golang.org/x/crypto
Summary golang.org/x/crypto is used by IBM Instana Observability as part of the instana-agent-operator CVE-2024-45337. This bulletin identifies the steps to take to address the vulnerability. Vulnerability Details CVEID:CVE-2024-45337 DESCRIPTION: Applications and libraries which misuse...
Security update for brise
This update for brise fixes the following issues: CVE-2025-21613: Fixed argument injection via the URL field bsc1235573. CVE-2024-45337: Fixed authorization bypass in golang.org/x/crypto via the ServerConfig.PublicKeyCallback callback bsc1234597. Patch Instructions: To install this SUSE update us...
Authorization Bypass
golang.org/x/crypto is vulnerable to Authorization Bypass. The vulnerability is due to improper handling of public key authentication callbacks where the order or reuse of keys in the callback can lead to incorrect authorization decisions, allowing attackers to exploit misused APIs or assumptions...
GHSA-7PRJ-HGX4-2XC3 Potential Vulnerabilities Due to Outdated golang.org/x/crypto Dependency in NanoProxy
A security issue was identified in the NanoProxy project related to the golang.org/x/crypto dependency. The project was using an outdated version of this dependency, which potentially exposed the system to security vulnerabilities that have been addressed in subsequent updates. Impact: The specif...
Potential Vulnerabilities Due to Outdated golang.org/x/crypto Dependency in NanoProxy
A security issue was identified in the NanoProxy project related to the golang.org/x/crypto dependency. The project was using an outdated version of this dependency, which potentially exposed the system to security vulnerabilities that have been addressed in subsequent updates. Impact: The specif...
GO-2024-3321 Misuse of connection.serverAuthenticate may cause authorization bypass in golang.org/x/crypto
Applications and libraries which misuse connection.serverAuthenticate via callback field ServerConfig.PublicKeyCallback may be susceptible to an authorization bypass. The documentation for ServerConfig.PublicKeyCallback says that "A call to this function does not guarantee that the key offered is...
SUSE-SU-2024:3186-1 Security update for buildah
This update for buildah fixes the following issues: Update to version 1.35.4: CVE-2024-3727 updates bsc1224117 Bump go-jose CVE-2024-28180 Bump ocicrypt and go-jose CVE-2024-28180 Update to version 1.35.3: correctly configure /etc/hosts and resolv.conf buildah: refactor resolv/hosts setup. rename...
CVE-2022-30636 Limited directory traversal vulnerability on Windows in golang.org/x/crypto
httpTokenCacheKey uses path.Base to extract the expected HTTP-01 token value to lookup in the DirCache implementation. On Windows, path.Base acts differently to filepath.Base, since Windows uses a different path separator \ vs. /, allowing a user to provide a relative path, i.e...
CVE-2022-30636 Limited directory traversal vulnerability on Windows in golang.org/x/crypto
httpTokenCacheKey uses path.Base to extract the expected HTTP-01 token value to lookup in the DirCache implementation. On Windows, path.Base acts differently to filepath.Base, since Windows uses a different path separator \ vs. /, allowing a user to provide a relative path, i.e...
RHEL 7 / 8 : OpenShift Virtualization 4.11.0 RPMs (RHSA-2022:6527)
The remote Redhat Enterprise Linux 7 / 8 host has packages installed that are affected by a vulnerability as referenced in the RHSA-2022:6527 advisory. OpenShift Virtualization is Red Hat's virtualization solution designed for Red Hat OpenShift Container Platform. This advisory contains OpenShift...
Huawei EulerOS: Security Advisory for openssh (EulerOS-SA-2024-1533)
The remote host is missing an update for the Huawei EulerOS SPDX-FileCopyrightText: 2024 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...
ROS-20240412-06
A vulnerability in the OpenSSL library's implementation of the SM2 cryptographic algorithm is related to buffer copying without checking the size of the input data. Exploitation of the vulnerability could allow an attacker acting remotely to execute arbitrary code by transmitting specially crafte...
Security Bulletin: IBM Cloud Pak for Data Scheduling is vulnerable to machine-in-the-middle due to golang.org/x/crypto ( CVE-2023-48795 )
Summary Golang.org/x/crypto is used by IBM Cloud Pak for Data Scheduling as part of the scheduler binaries . CVE-2023-48795. Vulnerability Details CVEID:CVE-2023-48795 DESCRIPTION: OpenSSH is vulnerable to a machine-in-the-middle attack, caused by a flaw in the extension negotiation process in th...
Huawei EulerOS: Security Advisory for proftpd (EulerOS-SA-2024-1345)
The remote host is missing an update for the Huawei EulerOS SPDX-FileCopyrightText: 2024 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...
RHCOS 4 : OpenShift Container Platform 4.15.0 (RHSA-2023:7201)
The remote Red Hat Enterprise Linux CoreOS 4 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2023:7201 advisory. - golang: net/http, x/net/http2: rapid stream resets can cause excessive work CVE-2023-44487 CVE-2023-39325 - golang:...