Your submission was sent successfully! Close

You have successfully unsubscribed! Close

Thank you for signing up for our newsletter!
In these regular emails you will find the latest updates about Ubuntu and upcoming events where you can meet our team.Close

CVE-2017-3204

Published: 4 April 2017

The Go SSH library (x/crypto/ssh) by default does not verify host keys, facilitating man-in-the-middle attacks. Default behavior changed in commit e4e2799 to require explicitly registering a hostkey verification mechanism.

Notes

AuthorNote
jdstrand
ubuntu-snappy and snapd contain embedded copies of golang-go.crypto
tyhicks
snapd doesn't use this particular part of golang-go.crypto as it
doesn't act as a SSH client

Priority

Low

Cvss 3 Severity Score

8.1

Score breakdown

Status

Package Release Status
golang-go.crypto
Launchpad, Ubuntu, Debian
artful Ignored
(end of life)
cosmic Not vulnerable
(1:0.0~git20180614.a8fb68e-1)
precise Does not exist

trusty Does not exist

xenial Needed

yakkety Ignored
(end of life)
zesty Ignored
(end of life)
disco Not vulnerable
(1:0.0~git20180614.a8fb68e-1)
eoan Not vulnerable
(1:0.0~git20180614.a8fb68e-1)
groovy Not vulnerable
(1:0.0~git20180614.a8fb68e-1)
impish Not vulnerable
(1:0.0~git20180614.a8fb68e-1)
hirsute Not vulnerable
(1:0.0~git20180614.a8fb68e-1)
jammy Not vulnerable
(1:0.0~git20180614.a8fb68e-1)
kinetic Not vulnerable
(1:0.0~git20180614.a8fb68e-1)
lunar Not vulnerable
(1:0.0~git20180614.a8fb68e-1)
bionic Not vulnerable
(1:0.0~git20170629.0.5ef0053-2)
focal Not vulnerable
(1:0.0~git20180614.a8fb68e-1)
upstream
Released (1:0.0~git20170407.0.55a552f+REALLY.0.0~git20161012.0.5f31782-1)
mantic Not vulnerable
(1:0.0~git20180614.a8fb68e-1)
Patches:
upstream: https://github.com/golang/crypto/commit/e4e2799dd7aab89f583e1d898300d96367750991
ubuntu-snappy
Launchpad, Ubuntu, Debian
precise Does not exist

trusty Does not exist

artful Does not exist

cosmic Does not exist

disco Does not exist

eoan Does not exist

groovy Does not exist

xenial Does not exist

yakkety Does not exist

zesty Does not exist

impish Does not exist

hirsute Does not exist

jammy Does not exist

kinetic Does not exist

lunar Does not exist

bionic Does not exist

focal Does not exist

upstream Needs triage

mantic Does not exist

snapd
Launchpad, Ubuntu, Debian
precise Does not exist

trusty Does not exist
(trusty was ignored [code not used])
xenial Ignored
(code not used)
yakkety Ignored
(end of life)
zesty Ignored
(end of life)
artful Ignored
(end of life)
cosmic Ignored
(end of life)
disco Ignored
(end of life)
eoan Ignored
(end of life)
groovy Ignored
(end of life)
impish Ignored
(end of life)
hirsute Ignored
(end of life)
jammy Ignored
(code not used)
kinetic Ignored
(end of life, was ignored [code not used])
lunar Ignored
(end of life, was ignored [code not used])
bionic Ignored
(code not used)
focal Ignored
(code not used)
upstream Needs triage

mantic Ignored
(code not used)

Severity score breakdown

Parameter Value
Base score 8.1
Attack vector Network
Attack complexity High
Privileges required None
User interaction None
Scope Unchanged
Confidentiality High
Integrity impact High
Availability impact High
Vector CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H