Bug 1439748 (CVE-2017-3204)

Summary: CVE-2017-3204 golang-googlecode-go-crypto: Go SSH library does not verify host keys by default
Product: [Other] Security Response Reporter: Andrej Nemec <anemec>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: bleanhar, ccoleman, databases-maint, dedgar, dmcphers, fpokorny, golang-updates, hhorak, jchaloup, jgoulding, jkeck, joelsmith, jorton, tdawson, vbatts
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-08 03:10:00 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1439751, 1439752, 1471344    
Bug Blocks: 1439750    

Description Andrej Nemec 2017-04-06 13:12:56 UTC 
The Go SSH library (x/crypto/ssh) by default does not verify host keys, facilitating man-in-the-middle attacks.

Upstream bug:

https://github.com/golang/go/issues/19767

Upstream patch:

https://github.com/golang/crypto/commit/e4e2799dd7aab89f583e1d898300d96367750991
Comment 1 Andrej Nemec 2017-04-06 13:15:07 UTC 
Created golang tracking bugs for this issue:

Affects: epel-6 [bug 1439752]
Affects: fedora-all [bug 1439751]