Hi,

The following vulnerability was published for golang-go.crypto.

CVE-2024-45337[0]:
| Applications and libraries which misuse the
| ServerConfig.PublicKeyCallback callback may be susceptible to an
| authorization bypass.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2024-45337
https://www.cve.org/CVERecord?id=CVE-2024-45337
[1] https://github.com/golang/go/issues/70779
[2] https://github.com/golang/crypto/commit/b4f1988a35dee11ec3e05d6bf3e90b695fbd8909

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

We believe that the bug you reported is fixed in the latest version of
golang-go.crypto, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1089754@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Santiago Ruano Rincón <santiagorr@riseup.net> (supplier of updated golang-go.crypto package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
Format: 1.8
Date: Fri, 14 Feb 2025 09:43:14 -0300
Source: golang-go.crypto
Architecture: source
Version: 1:0.33.0-1~exp1
Distribution: experimental
Urgency: medium
Maintainer: Debian Go Packaging Team <team+pkg-go@tracker.debian.org>
Changed-By: Santiago Ruano Rincón <santiagorr@riseup.net>
Closes: 1089754
Changes:
 golang-go.crypto (1:0.33.0-1~exp1) experimental; urgency=medium
 .
   * Team upload
   * New upstream version 0.33.0
     * Fix CVE-2024-45337: Applications and libraries which misuse the
       ServerConfig.PublicKeyCallback callback may be susceptible to an
       authorization bypass. (Closes: #1089754)
   * Remove 0003-ssh-don-t-use-dsa-keys-in-integration-tests.patch, no longer
     needed
Checksums-Sha1:
 508d5d019ab14a0efbd92a38a78068e5d6471ebb 1799 golang-go.crypto_0.33.0-1~exp1.dsc
 9aaeb83917c7f796cfe1327f845fc51cc26c2b3b 1604364 golang-go.crypto_0.33.0.orig.tar.xz
 95dbc690f1250c135131eb27e02249bf36105d53 91628 golang-go.crypto_0.33.0-1~exp1.debian.tar.xz
 99e7bce1fa1b48c7ee0e3b0c4798a47ba974550e 6202 golang-go.crypto_0.33.0-1~exp1_amd64.buildinfo
Checksums-Sha256:
 214b5b732256ccbd5d577409ef4f5c5e35c2c93a50dd6716a3be96c327b42866 1799 golang-go.crypto_0.33.0-1~exp1.dsc
 b69a718d37c4c7a4d7858ef3c62e6c75895ce04115ab4d77df8ac98353050750 1604364 golang-go.crypto_0.33.0.orig.tar.xz
 8935378cc4e71f1f88d561a7751bca45dd50ea715f6b182d4b159b4c13686876 91628 golang-go.crypto_0.33.0-1~exp1.debian.tar.xz
 bebc182b6b1f1a0f5a97232b877e1ba8a84e1572d6ef6be2935fcfe5aea5c022 6202 golang-go.crypto_0.33.0-1~exp1_amd64.buildinfo
Files:
 562f9f766ab5323a50eb0a8e123b1454 1799 golang optional golang-go.crypto_0.33.0-1~exp1.dsc
 d47ba93c87ea6bb202559a44c4487815 1604364 golang optional golang-go.crypto_0.33.0.orig.tar.xz
 0fe8cdb0462430634d70fd7375b1d04e 91628 golang optional golang-go.crypto_0.33.0-1~exp1.debian.tar.xz
 cf0cd31a394c82089f6a3445127be59d 6202 golang optional golang-go.crypto_0.33.0-1~exp1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----

iIwEARYKADQWIQR+lHTq7mkJOyB6t2Un3j1FEEiG7wUCZ68/NBYcc2FudGlhZ29y
ckByaXNldXAubmV0AAoJECfePUUQSIbvk44BALpP1QuhX9Ngom9Os7oAyjrJ5FJV
GHVOuc/SiJqjWuwcAQCmHscF4CkniQj4QY7/7ljC/b76MCax7IGsbpPp9IyFDg==
=L4EK
-----END PGP SIGNATURE-----