Filippo ValsordaThe Go team plans to issue a security fix for the golang.org/x/crypto/ssh package in the golang.org/x/crypto module on Wednesday, December 11th.
joev🚨 x/crypto/ssh: misuse of ServerConfig.PublicKeyCallback may cause authorization bypass
Common API misuse allows attacker to log in with one key, but appear to have logged in with another. Potentially affects services that look up users by key.
Partially mitigated in golang.org/x/[email protected].