dropbear 2016.74-5 source package in Ubuntu
Changelog
dropbear (2016.74-5) unstable; urgency=high
* Backport security fixes from 2017.75 (closes: #862970):
- CVE-2017-9078: Fix double-free in server TCP listener cleanup
A double-free in the server could be triggered by an authenticated user
if dropbear is running with -a (Allow connections to forwarded ports
from any host) This could potentially allow arbitrary code execution as
root by an authenticated user.
- CVE-2017-9079: Fix information disclosure with ~/.ssh/authorized_keys
symlink.
Dropbear parsed authorized_keys as root, even if it were a symlink. The
fix is to switch to user permissions when opening authorized_keys
A user could symlink their ~/.ssh/authorized_keys to a root-owned file
they couldn't normally read. If they managed to get that file to contain
valid authorized_keys with command= options it might be possible to read
other contents of that file.
This information disclosure is to an already authenticated user.
-- Guilhem Moulin <email address hidden> Fri, 19 May 2017 23:41:21 +0200
Upload details
- Uploaded by:
- Guilhem Moulin
- Uploaded to:
- Sid
- Original maintainer:
- Guilhem Moulin
- Architectures:
- any all
- Section:
- net
- Urgency:
- Very Urgent
See full publishing history Publishing
| Series | Published | Component | Section |
|---|
Downloads
| File | Size | SHA-256 Checksum |
|---|---|---|
| dropbear_2016.74-5.dsc | 2.1 KiB | 6e0625a8e52c3a3f6dd5fd45730bbe8ab6c48cbab0a309a8804996bdda59b722 |
| dropbear_2016.74.orig.tar.bz2 | 1.5 MiB | a532bf883529129a105c82181fc6cc89619e2aa34822fc74deccb5566f754f26 |
| dropbear_2016.74-5.debian.tar.xz | 21.6 KiB | 719b0b7a84053062d35e02c8811d415f2178f032c1a0e584918e98eb23a62b8a |
Available diffs
- diff from 2016.74-4 to 2016.74-5 (1.9 KiB)
No changes file available.
Binary packages built by this source
- dropbear: No summary available for dropbear in ubuntu artful.
No description available for dropbear in ubuntu artful.
- dropbear-bin: No summary available for dropbear-bin in ubuntu artful.
No description available for dropbear-bin in ubuntu artful.
- dropbear-bin-dbgsym: No summary available for dropbear-bin-dbgsym in ubuntu artful.
No description available for dropbear-bin-dbgsym in ubuntu artful.
- dropbear-initramfs: No summary available for dropbear-initramfs in ubuntu artful.
No description available for dropbear-initramfs in ubuntu artful.
- dropbear-run: No summary available for dropbear-run in ubuntu artful.
No description available for dropbear-run in ubuntu artful.
