CVE-2017-3204

Priority
Low
Description
The Go SSH library (x/crypto/ssh) by default does not verify host keys,
facilitating man-in-the-middle attacks. Default behavior changed in commit
e4e2799 to require explicitly registering a hostkey verification mechanism.
References
Bugs
Notes
 jdstrand> ubuntu-snappy and snapd contain embedded copies of golang-go.crypto
 tyhicks> snapd doesn't use this particular part of golang-go.crypto as it
  doesn't act as a SSH client
Package
Upstream:needs-triage
Ubuntu 17.10 (Artful Aardvark):needs-triage
Ubuntu 12.04 ESM (Precise Pangolin):DNE
Ubuntu 14.04 LTS (Trusty Tahr):DNE
Ubuntu Core 15.04:DNE
Ubuntu 16.04 LTS (Xenial Xerus):needs-triage
Ubuntu 17.04 (Zesty Zapus):needs-triage
Patches:
Upstream:https://github.com/golang/crypto/commit/e4e2799dd7aab89f583e1d898300d96367750991
Package
Source: snapd (LP Ubuntu Debian)
Upstream:needs-triage
Ubuntu 17.10 (Artful Aardvark):ignored (code not used)
Ubuntu 12.04 ESM (Precise Pangolin):DNE
Ubuntu 14.04 LTS (Trusty Tahr):ignored (code not used)
Ubuntu Core 15.04:DNE
Ubuntu 16.04 LTS (Xenial Xerus):ignored (code not used)
Ubuntu 17.04 (Zesty Zapus):ignored (code not used)
Package
Upstream:needs-triage
Ubuntu 17.10 (Artful Aardvark):DNE
Ubuntu 12.04 ESM (Precise Pangolin):DNE
Ubuntu 14.04 LTS (Trusty Tahr):DNE
Ubuntu Core 15.04:ignored (code not used)
Ubuntu 16.04 LTS (Xenial Xerus):DNE
Ubuntu 17.04 (Zesty Zapus):DNE
More Information

Updated: 2017-08-11 23:25:18 UTC (commit 13081)