search

francoispqt / gojay

high performance JSON encoder/decoder with stream API for Golang
MIT License
2.11k stars 113 forks source link

Improper Signature Verification. #167

Open bhaskarvilles opened 2 years ago

bhaskarvilles commented 2 years ago

golang.org/x/crypto/

Affected versions of this package are vulnerable to Improper Signature Verification. An attacker can craft an ssh-ed25519 or sk-ssh-...@openssh.com public key, such that the library will panic when trying to verify a signature with it. Clients can deliver such a public key and signature to any golang.org/x/crypto/ssh server with a PublicKeyCallback, and servers can deliver them to any golang.org/x/crypto/ssh client.

bhaskarvilles commented 2 years ago

Any update ?

bhaskarvilles commented 2 years ago

???