Skip to content

[CVE-2024-45337] x/crypto/ssh: misuse of ServerConfig.PublicKeyCallback may cause authorization bypass #129164

New issue
Jump to bottom
New issue
Jump to bottom
Closed
Closed
[CVE-2024-45337] x/crypto/ssh: misuse of ServerConfig.PublicKeyCallback may cause authorization bypass#129164
Labels
needs-triageIndicates an issue or PR lacks a `triage/foo` label and requires one.sig/architectureCategorizes an issue or PR as relevant to SIG Architecture.sig/securityCategorizes an issue or PR as relevant to SIG Security.
@dims

Description

@dims
dims
opened on Dec 11, 2024

Note from golang team:
https://groups.google.com/g/golang-announce/c/-nPEi39gI4Q/m/cGVPJCqdAQAJ

Our use of the package:

❯ rg 'crypto/ssh"'
test/e2e/framework/ssh/ssh.go
31:     "golang.org/x/crypto/ssh"

the fix golang team applied:
golang/crypto@v0.30.0...v0.31.0

Based on code inspection and the comments in the code itself:
golang/crypto@b4f1988#diff-e951878a83c4f8e454f545a1a2880f387705de79b3272105eab50d18f0dc52b3R162-R165

Only the folks who are using PublicKeyCallback API are affected. We don't use that API in kubernetes/kubernetes and our only use of the entire package is in a test suite.

Based on the above, deliverables/binaries from kubernetes/kubernetes are NOT affected.

Metadata

Assignees

No one assigned

    Labels

    needs-triageIndicates an issue or PR lacks a `triage/foo` label and requires one.sig/architectureCategorizes an issue or PR as relevant to SIG Architecture.sig/securityCategorizes an issue or PR as relevant to SIG Security.

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions