Dropbear 2013.59

Rob Landley rob at landley.net
Sun Oct 20 04:56:06 WST 2013


A: Sigh. Probably.
Q: But mixing the two styles is worse?
A: Because it's confusing.
Q: Why not top post?

I just updated the prebuilt binaries (statically linked against uClibc)  
at
http://landley.net/aboriginal/downloads/binaries/extras to include the  
new
dropbear version.

The source I build from is mirrored at  
http://landley.net/aboriginal/mirror (it's not a complete list because  
I haven't always built every version), but it's something...

Rob

P.S. Since this is a security thing, if you want to reproduce these  
binaries from source use the appropriate architecture's system image  
from http://landley.net/aboriginal/bin and the static-tools build  
control image from  
http://landley.net/aboriginal/control-images/downloads/binaries and go:

   tar xvjf system-image-mips.tar.bz2
   cd system-image-mips
   ./native-build.sh static-tools.hdc

That should all work under qemu 1.6.1. (You may have to loopback mount  
the resulting hdb.img to get the binaries out after it exits, because  
it expects the toybox ftp command on the host to automatically upload  
it out through the virtual network, which isn't exactly widely  
deployed.)

(If you want to speed up the build process you can distccd on the host  
and extract the appropriate cross-compiler tarball into that  
system-image directory, the native-build script will autodetect them  
and use distcc to call out to the cross compiler.)

If you want to rebuild the system image and build control images from  
source, you want the http://landley.net/hg/aboriginal and  
http://landley.net/hg/control-images repositories, respectively.  
There's documentation about both at  
http://landley.net/aboriginal/about.html and  
http://landley.net/aboriginal/control-images respectively.

If you want to do the "diverse double compiling" thing described at  
http://www.dwheeler.com/trusting-trust I can only point you at  
http://elcc.org/blog and suggest giving them a hand.

On 10/06/2013 02:49:01 PM, Catalin Patulea wrote:
> Are there any mirrors of Dropbear releases? OpenWRT used to use
> http://www.mirrors.wiretapped.net/security/cryptography/apps/ssh/dropbear/
> but it seems that mirror is now defunct.
> 
> On Fri, Oct 4, 2013 at 10:38 AM, Matt Johnston <matt at ucc.asn.au>  
> wrote:
> > Hi all,
> >
> > Dropbear 2013.59 has been released. It fixes a number of
> > bugs, including two security issues affecting prior
> > releases.
> >
> > - The Dropbear server could be made to consume large amounts
> > of memory because decompressed packet sizes weren't checked.
> > Depending on the OS and hardware this might be a denial of
> > service.
> >
> > - Valid users could be identified due to timing variations.
> >
> > As usual you can download it from
> > https://matt.ucc.asn.au/dropbear/dropbear.html
> >
> >
> > Cheers,
> > Matt
> >
> > 2013.59 - Friday 4 October 2013
> >
> > - Fix crash from -J command
> >   Thanks to Lluís Batlle i Rossell and Arnaud Mouiche for patches
> >
> > - Avoid reading too much from /proc/net/rt_cache since that causes
> >   system slowness.
> >
> > - Improve EOF handling for half-closed connections
> >   Thanks to Catalin Patulea
> >
> > - Send a banner message to report PAM error messages intended for  
> the user
> >   Patch from Martin Donnelly
> >
> > - Limit the size of decompressed payloads, avoids memory exhaustion  
> denial
> >   of service
> >   Thanks to Logan Lamb for reporting and investigating it
> >
> > - Avoid disclosing existence of valid users through inconsistent  
> delays
> >   Thanks to Logan Lamb for reporting
> >
> > - Update config.guess and config.sub for newer architectures
> >
> > - Avoid segfault in server for locked accounts
> >
> > - "make install" now installs manpages
> >   dropbearkey.8 has been renamed to dropbearkey.1
> >   manpage added for dropbearconvert
> >
> > - Get rid of one second delay when running non-interactive commands
> >
> > Releases are signed by PGP key matt at ucc.asn.au 4C647FBC
> >      D11E 5F8D 2C38 523F 57F1  2166 8CF9 F8B0 4C64 7FBC
> 



More information about the Dropbear mailing list