A nil pointer dereference in the golang.org/x/crypto/ssh component through v0.0.0-20201203163018-be400aefbc4c for Go allows remote attackers to cause a denial of service against SSH servers. Reference: https://groups.google.com/g/golang-announce/c/ouZIlBimOsE?pli=1 Upstream patch: https://go-review.googlesource.com/c/crypto/+/278852
External References: https://groups.google.com/g/golang-announce/c/ouZIlBimOsE?pli=1
In general a majority of components depend on golang.org/x/crypto however to be considered affected here they must actually depend on golang.org/x/crypto/ssh and thus compile in crypto/ssh/server.go. If the component depends on golang.org/x/crypto/ssh/terminal only, then it is not considered here as the affected code is not compiled in. Depending on crypto/ssh/terminal will not compile in crypto/ssh/server.go. Two ways to confirm this, 1. if using go mod, using `go list` will take this into account and not report crypto/ssh as a dependency even if used only in test, or 2, inspecting the binary with strings and looking for the file crypto/ssh/server.go. Gopkg, I've not found an easy way to use it, have to only rely on it being present in the vendor directory.
Statement: A large number of products include the affected package, but do not make use of the vulnerable SSH server code. Accordingly, the flaw itself is rated as "Important", but these products themselves all have a "Low" severity rating. Additionally, a number of products include golang.org/x/crypto (or even golang.org/x/crypto/ssh/terminal) but not specifically golang.org/x/crypto/ssh/server.go in the final build. As this would result in a very large number of entries of not affected products, only products which include the ssh server code (golang.org/x/crypto/ssh/server.go) have been represented here. Red Hat Enterprise Linux 8 container-tools:rhel8/containernetworking-plugins is not affected because although it uses some functionality from golang.org/x/crypto, it does not use or import anything from golang.org/x/crypto/ssh/*.
Created gomtree tracking bugs for this issue: Affects: fedora-all [bug 1927095] Created podman tracking bugs for this issue: Affects: fedora-all [bug 1927094]
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.7 Via RHSA-2020:5633 https://access.redhat.com/errata/RHSA-2020:5633
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-29652
This issue has been addressed in the following products: RHEL-8-CNV-2.6 Via RHSA-2021:0799 https://access.redhat.com/errata/RHSA-2021:0799
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2021:1796 https://access.redhat.com/errata/RHSA-2021:1796
This issue has been addressed in the following products: RHEL-8-CNV-4.8 Via RHSA-2021:2920 https://access.redhat.com/errata/RHSA-2021:2920