packages: - module: golang.org/x/crypto package: golang.org/x/crypto/ssh symbols: - ServerConfig.AddHostKey derived_symbols: - ServerConfig.AddHostKey versions: - fixed: 0.0.0-20220314234659-1baeb1ce4c0b description: | Attackers can cause a crash in SSH servers when the server has been configured by passing a Signer to ServerConfig.AddHostKey such that 1) the Signer passed to AddHostKey does not implement AlgorithmSigner, and 2) the Signer passed to AddHostKey returns a key of type “ssh-rsa” from its PublicKey method. Servers that only use Signer implementations provided by the ssh package are unaffected. cves: - CVE-2022-27191 ghsas: - GHSA-8c26-wmh5-6g9v links: pr: https://go.dev/cl/392355 commit: https://go.googlesource.com/crypto/+/1baeb1ce4c0b006eff0f294c47cb7617598dfb3d context: - https://groups.google.com/g/golang-announce - https://groups.google.com/g/golang-announce/c/-cp44ypCT5s