Search CVE reports
1 – 10 of 12 results
SSH servers which implement file transfer protocols are vulnerable to a denial of service attack from clients which complete the key exchange slowly, or not at all, causing pending content to be read into memory, but never transmitted.
3 affected packages
lxd, golang-go.crypto, snapd
| Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS |
|---|---|---|---|---|
| lxd | Not in release | Not in release | Not affected | Not affected |
| golang-go.crypto | Needs evaluation | Needs evaluation | Needs evaluation | Needs evaluation |
| snapd | Not affected | Not affected | Not affected | Not affected |
Some fixes available 3 of 43
A certificate with a URI which has a IPv6 address with a zone ID may incorrectly satisfy a URI name constraint that applies to the certificate chain. Certificates containing URIs are not permitted in the web PKI, so this only...
18 affected packages
lxd, golang, golang-1.6, golang-1.8, golang-1.9...
| Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS |
|---|---|---|---|---|
| lxd | Not in release | Not in release | Not affected | Needs evaluation |
| golang | Not in release | Not in release | Not in release | — |
| golang-1.6 | Not in release | Not in release | Not in release | — |
| golang-1.8 | Not in release | Not in release | Not in release | Needs evaluation |
| golang-1.9 | Not in release | Not in release | Not in release | Needs evaluation |
| golang-1.10 | Not in release | Not in release | Not in release | Needs evaluation |
| golang-1.13 | Not in release | Needs evaluation | Needs evaluation | Needs evaluation |
| golang-1.14 | Not in release | Not in release | Needs evaluation | — |
| golang-1.16 | Not in release | Not in release | Needs evaluation | Needs evaluation |
| golang-1.17 | Not in release | Needs evaluation | Not in release | — |
| golang-1.18 | Not in release | Needs evaluation | Needs evaluation | Needs evaluation |
| golang-1.20 | Not in release | Needs evaluation | Needs evaluation | — |
| golang-1.21 | Needs evaluation | Needs evaluation | Needs evaluation | — |
| golang-1.22 | Fixed | Fixed | Needs evaluation | — |
| golang-1.23 | Needs evaluation | Needs evaluation | Not in release | — |
| golang-1.24 | Not in release | Not in release | Not in release | — |
| golang-go.crypto | Needs evaluation | Needs evaluation | Needs evaluation | Needs evaluation |
| snapd | Not affected | Not affected | Not affected | Not affected |
Some fixes available 5 of 16
Applications and libraries which misuse connection.serverAuthenticate (via callback field ServerConfig.PublicKeyCallback) may be susceptible to an authorization bypass. The documentation for ServerConfig.PublicKeyCallback says...
4 affected packages
snapd, lxd, golang-go.crypto, google-guest-agent
| Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS |
|---|---|---|---|---|
| snapd | Not affected | Not affected | Not affected | Not affected |
| lxd | Not in release | Not in release | Not affected | Needs evaluation |
| golang-go.crypto | Fixed | Fixed | Fixed | Fixed |
| google-guest-agent | Needs evaluation | Needs evaluation | Needs evaluation | Needs evaluation |
Some fixes available 42 of 93
The SSH transport protocol with certain OpenSSH extensions, found in OpenSSH before 9.6 and other products, allows remote attackers to bypass integrity checks such that some packets are omitted (from the extension negotiation...
13 affected packages
dropbear, golang-go.crypto, snapd, lxd, libssh...
| Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS |
|---|---|---|---|---|
| dropbear | Needs evaluation | Fixed | Fixed | Fixed |
| golang-go.crypto | Needs evaluation | Needs evaluation | Needs evaluation | Needs evaluation |
| snapd | Not affected | Not affected | Not affected | Not affected |
| lxd | Not in release | Not in release | Not affected | Fixed |
| libssh | Not affected | Fixed | Fixed | Not affected |
| openssh-ssh1 | Ignored | Ignored | Ignored | Ignored |
| libssh2 | Not affected | Not affected | Not affected | Not affected |
| openssh | Fixed | Fixed | Fixed | Fixed |
| paramiko | Fixed | Fixed | Fixed | Needs evaluation |
| putty | Needs evaluation | Needs evaluation | Needs evaluation | Needs evaluation |
| proftpd-dfsg | Not affected | Not affected | Fixed | Needs evaluation |
| python-asyncssh | Fixed | Fixed | Fixed | Ignored |
| filezilla | Fixed | Fixed | Fixed | Not affected |
The x/crypto/ssh package before 0.0.0-20211202192323-5770296d904e of golang.org/x/crypto allows an attacker to panic an SSH server.
3 affected packages
golang-go.crypto, lxd, snapd
| Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS |
|---|---|---|---|---|
| golang-go.crypto | Needs evaluation | Needs evaluation | Needs evaluation | Needs evaluation |
| lxd | — | — | Not affected | Not affected |
| snapd | Not affected | Not affected | Not affected | Not affected |
The golang.org/x/crypto/ssh package before 0.0.0-20220314234659-1baeb1ce4c0b for Go allows an attacker to crash a server in certain circumstances involving AddHostKey.
3 affected packages
golang-go.crypto, lxd, snapd
| Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS |
|---|---|---|---|---|
| golang-go.crypto | Needs evaluation | Needs evaluation | Needs evaluation | Needs evaluation |
| lxd | — | Not in release | Not affected | Not affected |
| snapd | Not affected | Not affected | Not affected | Not affected |
Curve.IsOnCurve in crypto/elliptic in Go before 1.16.14 and 1.17.x before 1.17.7 can incorrectly return true in situations with a big.Int value that is not a valid field element.
3 affected packages
golang-go.crypto, lxd, snapd
| Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS |
|---|---|---|---|---|
| golang-go.crypto | Needs evaluation | Needs evaluation | Needs evaluation | Needs evaluation |
| lxd | — | — | Not affected | Needs evaluation |
| snapd | Not affected | Not affected | Not affected | Not affected |
Some fixes available 10 of 19
A nil pointer dereference in the golang.org/x/crypto/ssh component through v0.0.0-20201203163018-be400aefbc4c for Go allows remote attackers to cause a denial of service against SSH servers.
4 affected packages
golang-go.crypto, kubernetes, snapd, lxd
| Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS |
|---|---|---|---|---|
| golang-go.crypto | Fixed | Fixed | Vulnerable | Not affected |
| kubernetes | Not affected | Not affected | Not affected | Not in release |
| snapd | Not affected | Not affected | Not affected | Not affected |
| lxd | — | — | Not affected | Not affected |
golang.org/x/crypto before v0.0.0-20200220183623-bac4c82f6975 for Go allows a panic during signature verification in the golang.org/x/crypto/ssh package. A client can attack an SSH server that accepts public keys. Also, a server...
4 affected packages
golang-go.crypto, lxd, mongo-tools, snapd
| Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS |
|---|---|---|---|---|
| golang-go.crypto | Not affected | Not affected | Not affected | Vulnerable |
| lxd | — | — | Not affected | Not affected |
| mongo-tools | Not in release | Not in release | Needs evaluation | Needs evaluation |
| snapd | Not affected | Not affected | Not affected | Not affected |
A message-forgery issue was discovered in crypto/openpgp/clearsign/clearsign.go in supplementary Go cryptography libraries 2019-03-25. According to the OpenPGP Message Format specification in RFC 4880 chapter 7, a cleartext signed...
2 affected packages
golang-go.crypto, snapd
| Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS |
|---|---|---|---|---|
| golang-go.crypto | Not affected | Not affected | Not affected | Vulnerable |
| snapd | Not affected | Not affected | Not affected | Not affected |