CVE-2020-9283

Priority
Description
golang.org/x/crypto before v0.0.0-20200220183623-bac4c82f6975 for Go allows
a panic during signature verification in the golang.org/x/crypto/ssh
package. A client can attack an SSH server that accepts public keys. Also,
a server can attack any SSH client.
Notes
jdstrandsnapd contains an embedded copy of golang-go.crypto
lxd in 18.04 LTS and earlier contains an embedded copy of
golang-go.crypto
mdeslaursnapd and lxd only use the terminal sub-package, not the ssh
part of golang-go.crypto, so they are not vulnerable
Package
Upstream:needs-triage
Ubuntu 12.04 ESM (Precise Pangolin):DNE
Ubuntu 14.04 ESM (Trusty Tahr):DNE
Ubuntu 16.04 LTS (Xenial Xerus):needs-triage
Ubuntu 18.04 LTS (Bionic Beaver):needs-triage
Ubuntu 20.04 LTS (Focal Fossa):not-affected (1:0.0~git20200221.2aa609c-1)
Ubuntu 20.10 (Groovy Gorilla):not-affected (1:0.0~git20200221.2aa609c-1)
Package
Source: lxd (LP Ubuntu Debian)
Upstream:needs-triage
Ubuntu 12.04 ESM (Precise Pangolin):DNE
Ubuntu 14.04 ESM (Trusty Tahr):DNE
Ubuntu 16.04 LTS (Xenial Xerus):not-affected
Ubuntu 18.04 LTS (Bionic Beaver):not-affected
Ubuntu 20.04 LTS (Focal Fossa):not-affected (code-not-present)
Ubuntu 20.10 (Groovy Gorilla):not-affected (code-not-present)
Package
Upstream:needs-triage
Ubuntu 12.04 ESM (Precise Pangolin):DNE
Ubuntu 14.04 ESM (Trusty Tahr):DNE
Ubuntu 16.04 LTS (Xenial Xerus):DNE
Ubuntu 18.04 LTS (Bionic Beaver):needs-triage
Ubuntu 20.04 LTS (Focal Fossa):needs-triage
Ubuntu 20.10 (Groovy Gorilla):DNE
Package
Source: snapd (LP Ubuntu Debian)
Upstream:needs-triage
Ubuntu 12.04 ESM (Precise Pangolin):DNE
Ubuntu 14.04 ESM (Trusty Tahr):DNE
Ubuntu 16.04 LTS (Xenial Xerus):not-affected
Ubuntu 18.04 LTS (Bionic Beaver):not-affected
Ubuntu 20.04 LTS (Focal Fossa):not-affected
Ubuntu 20.10 (Groovy Gorilla):not-affected
More Information

Updated: 2020-09-25 14:27:16 UTC (commit e775549e62f5d80d4ff1c6236719bd55379159c5)