https://bugzilla.suse.com/show_bug.cgi?id=1234550 https://bugzilla.suse.com/show_bug.cgi?id=1234550#c2 Alexandre Vicenzi <alexandre.vicenzi@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |andrea.mattiazzo@suse.com Flags| |needinfo?(andrea.mattiazzo@ | |suse.com) --- Comment #2 from Alexandre Vicenzi <alexandre.vicenzi@suse.com> --- gokart last release was on Sep 22, 2022, and reached EOL on Apr 9, 2024. Checking gokart sources and vendored dependencies for 0.5.1 does not show any calls to ServerConfig.PublicKeyCallback. It is safe to say that the CVE does not affect gokart since it does not use the affected code in golang.org/x/crypto/ssh. Since this project reached EOL, it is best to remove from Factory and avoid pulling it in future SLE releases. Andrea, can we close this? -- You are receiving this mail because: You are on the CC list for the bug.