Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

vendor: golang.org/x/crypto v0.0.0-20220315160706-3147a52a75dd #2738

Merged
merged 1 commit into from
Mar 17, 2022
Merged

vendor: golang.org/x/crypto v0.0.0-20220315160706-3147a52a75dd #2738

merged 1 commit into from
Mar 17, 2022

Conversation

thaJeztah
Copy link
Member

full diff: golang/crypto@5770296...3147a52

This version contains a fix for CVE-2022-27191 (not sure if it affects us).

From the golang mailing list:

Hello gophers,

Version v0.0.0-20220315160706-3147a52a75dd of golang.org/x/crypto/ssh implements
client authentication support for signature algorithms based on SHA-2 for use with
existing RSA keys.

Previously, a client would fail to authenticate with RSA keys to servers that
reject signature algorithms based on SHA-1. This includes OpenSSH 8.8 by default
and—starting today March 15, 2022 for recently uploaded keys.

We are providing this announcement as the error (“ssh: unable to authenticate”)
might otherwise be difficult to troubleshoot.

Version v0.0.0-20220314234659-1baeb1ce4c0b (included in the version above) also
fixes a potential security issue where an attacker could cause a crash in a
golang.org/x/crypto/ssh server under these conditions:

- The server has been configured by passing a Signer to ServerConfig.AddHostKey.
- The Signer passed to AddHostKey does not also implement AlgorithmSigner.
- The Signer passed to AddHostKey does return a key of type “ssh-rsa” from its PublicKey method.

Servers that only use Signer implementations provided by the ssh package are
unaffected. This is CVE-2022-27191.

Alla prossima,

Filippo for the Go Security team

@thaJeztah
vendor: golang.org/x/crypto v0.0.0-20220315160706-3147a52a75dd
e5d9783 
full diff: golang/crypto@5770296...3147a52

This version contains a fix for CVE-2022-27191 (not sure if it affects us).

From the golang mailing list:

    Hello gophers,

    Version v0.0.0-20220315160706-3147a52a75dd of golang.org/x/crypto/ssh implements
    client authentication support for signature algorithms based on SHA-2 for use with
    existing RSA keys.

    Previously, a client would fail to authenticate with RSA keys to servers that
    reject signature algorithms based on SHA-1. This includes OpenSSH 8.8 by default
    and—starting today March 15, 2022 for recently uploaded keys.

    We are providing this announcement as the error (“ssh: unable to authenticate”)
    might otherwise be difficult to troubleshoot.

    Version v0.0.0-20220314234659-1baeb1ce4c0b (included in the version above) also
    fixes a potential security issue where an attacker could cause a crash in a
    golang.org/x/crypto/ssh server under these conditions:

    - The server has been configured by passing a Signer to ServerConfig.AddHostKey.
    - The Signer passed to AddHostKey does not also implement AlgorithmSigner.
    - The Signer passed to AddHostKey does return a key of type “ssh-rsa” from its PublicKey method.

    Servers that only use Signer implementations provided by the ssh package are
    unaffected. This is CVE-2022-27191.

    Alla prossima,

    Filippo for the Go Security team

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
@thaJeztah thaJeztah mentioned this pull request Mar 17, 2022
Closed
@tonistiigi tonistiigi merged commit c2c36af into moby:master Mar 17, 2022
@thaJeztah thaJeztah deleted the bump_crypto branch March 17, 2022 19:57
@thaJeztah thaJeztah mentioned this pull request Oct 13, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@tonistiigi tonistiigi tonistiigi approved these changes

@AkihiroSuda AkihiroSuda Awaiting requested review from AkihiroSuda

@crazy-max crazy-max Awaiting requested review from crazy-max

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@thaJeztah @tonistiigi