Dropbear 2013.59

Matt Johnston matt at ucc.asn.au
Fri Oct 4 22:38:50 WST 2013


Hi all,

Dropbear 2013.59 has been released. It fixes a number of
bugs, including two security issues affecting prior
releases.

- The Dropbear server could be made to consume large amounts
of memory because decompressed packet sizes weren't checked.
Depending on the OS and hardware this might be a denial of
service.

- Valid users could be identified due to timing variations.

As usual you can download it from
https://matt.ucc.asn.au/dropbear/dropbear.html


Cheers,
Matt

2013.59 - Friday 4 October 2013

- Fix crash from -J command 
  Thanks to Lluís Batlle i Rossell and Arnaud Mouiche for patches

- Avoid reading too much from /proc/net/rt_cache since that causes
  system slowness. 

- Improve EOF handling for half-closed connections
  Thanks to Catalin Patulea

- Send a banner message to report PAM error messages intended for the user
  Patch from Martin Donnelly

- Limit the size of decompressed payloads, avoids memory exhaustion denial
  of service 
  Thanks to Logan Lamb for reporting and investigating it

- Avoid disclosing existence of valid users through inconsistent delays
  Thanks to Logan Lamb for reporting

- Update config.guess and config.sub for newer architectures

- Avoid segfault in server for locked accounts

- "make install" now installs manpages
  dropbearkey.8 has been renamed to dropbearkey.1
  manpage added for dropbearconvert

- Get rid of one second delay when running non-interactive commands

Releases are signed by PGP key matt at ucc.asn.au 4C647FBC 
     D11E 5F8D 2C38 523F 57F1  2166 8CF9 F8B0 4C64 7FBC


More information about the Dropbear mailing list