Dropbear 2013.59
Catalin Patulea
cat at vv.carleton.ca
Mon Oct 7 03:49:01 WST 2013
Are there any mirrors of Dropbear releases? OpenWRT used to use
http://www.mirrors.wiretapped.net/security/cryptography/apps/ssh/dropbear/
but it seems that mirror is now defunct.
On Fri, Oct 4, 2013 at 10:38 AM, Matt Johnston <matt at ucc.asn.au> wrote:
> Hi all,
>
> Dropbear 2013.59 has been released. It fixes a number of
> bugs, including two security issues affecting prior
> releases.
>
> - The Dropbear server could be made to consume large amounts
> of memory because decompressed packet sizes weren't checked.
> Depending on the OS and hardware this might be a denial of
> service.
>
> - Valid users could be identified due to timing variations.
>
> As usual you can download it from
> https://matt.ucc.asn.au/dropbear/dropbear.html
>
>
> Cheers,
> Matt
>
> 2013.59 - Friday 4 October 2013
>
> - Fix crash from -J command
> Thanks to Lluís Batlle i Rossell and Arnaud Mouiche for patches
>
> - Avoid reading too much from /proc/net/rt_cache since that causes
> system slowness.
>
> - Improve EOF handling for half-closed connections
> Thanks to Catalin Patulea
>
> - Send a banner message to report PAM error messages intended for the user
> Patch from Martin Donnelly
>
> - Limit the size of decompressed payloads, avoids memory exhaustion denial
> of service
> Thanks to Logan Lamb for reporting and investigating it
>
> - Avoid disclosing existence of valid users through inconsistent delays
> Thanks to Logan Lamb for reporting
>
> - Update config.guess and config.sub for newer architectures
>
> - Avoid segfault in server for locked accounts
>
> - "make install" now installs manpages
> dropbearkey.8 has been renamed to dropbearkey.1
> manpage added for dropbearconvert
>
> - Get rid of one second delay when running non-interactive commands
>
> Releases are signed by PGP key matt at ucc.asn.au 4C647FBC
> D11E 5F8D 2C38 523F 57F1 2166 8CF9 F8B0 4C64 7FBC
More information about the Dropbear
mailing list