Your message dated Mon, 29 May 2017 14:56:15 -0500
with message-id <20170529145615.1230c...@arctic.lustfield.net>
and subject line
has caused the Debian Bug report #859655,
regarding golang-go.crypto: CVE-2017-3204
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
859655: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=859655
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: golang-go.crypto
Version: 1:0.0~git20161012.0.5f31782-1
Severity: grave
Tags: upstream patch security
Forwarded: https://github.com/golang/go/issues/19767
Hi,
the following vulnerability was published for golang-go.crypto.
CVE-2017-3204[0]:
| The Go SSH library (x/crypto/ssh) by default does not verify host
| keys, facilitating man-in-the-middle attacks. Default behavior changed
| in commit e4e2799 to require explicitly registering a hostkey
| verification mechanism.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2017-3204
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3204
[1] https://github.com/golang/go/issues/19767
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Unless I missed something, this has been resolved. Closing.
--
Michael Lustfield
--- End Message ---
