Comment # 2 on bug 1234506 from Alexandre Vicenzi 
Tailscale vendors github.com/tailscale/golang-x-crypto, a fork from
golang/crypto, which should be affected by this CVE since the fork has not been
rebased to 0.31.0.

Tailscale copied sources from gliderlabs/ssh, which calls
`gossh.ServerConfig.PublicKeyCallback` while gossh being
github.com/tailscale/golang-x-crypto/ssh, which is affected because it was not
rebased.

This seems to affect TailSSH [1] functionality but I cannot guarantee that it
affects only this. It is not advised to use this functionality until it has
been patched.

Due to how deep this stretches into tailscale, we need to wait for a proper
release from upstream.

[1]: https://tailscale.com/kb/1193/tailscale-ssh

You are receiving this mail because: