ALAS2023-2023-339 --- amazon-ssm-agentID: oval:org.secpod.oval:def:19500392 | Date: (C)2024-01-04 (M)2024-06-24 |
Class: PATCH | Family: unix |
The x/crypto/ssh package before 0.0.0-20211202192323-5770296d904e of golang.org/x/crypto allows an attacker to panic an SSH server. A broken cryptographic algorithm flaw was found in golang.org/x/crypto/ssh. This issue causes a client to fail authentification with RSA keys to servers that reject signature algorithms based on SHA-2, enabling an attacker to crash the server, resulting in a loss of availability. In net/http in Go before 1.18.6 and 1.19.x before 1.19.1, attackers can cause a denial of service because an HTTP/2 connection can hang during closing if shutdown were preempted by a fatal error. http2/hpack: avoid quadratic complexity in hpack decoding
Platform: |
Amazon Linux 2023 |