Dropbear 2017.75

Guilhem Moulin guilhem at fripost.org
Fri May 19 20:37:28 AWST 2017

Hi Matt,

On Thu, 18 May 2017 at 23:02:09 +0800, Matt Johnston wrote:
> Dropbear 2017.75 is released. This has a couple of security
> fixes and a couple of bug fixes since 2016.74.

FYI https://matt.ucc.asn.au/dropbear/CHANGES yields 403 forbidden.

> - Security: Fix double-free in server TCP listener cleanup
>  A double-free in the server could be triggered by an authenticated user if
>  dropbear is running with -a (Allow connections to forwarded ports from any host)
>  This could potentially allow arbitrary code execution as root by an authenticated user.
>  Affects versions 2013.56 to 2016.74. Thanks to Mark Shepard for reporting the crash.
> - Security: Fix information disclosure with ~/.ssh/authorized_keys symlink.
>  Dropbear parsed authorized_keys as root, even if it were a symlink. The fix
>  is to switch to user permissions when opening authorized_keys
>  A user could symlink their ~/.ssh/authorized_keys to a root-owned file they
>  couldn't normally read. If they managed to get that file to contain valid
>  authorized_keys with command= options it might be possible to read other
>  contents of that file.
>  This information disclosure is to an already authenticated user.
>  Thanks to Jann Horn of Google Project Zero for reporting this.

We're backporting these two to Debian Jessie (stable, soon to be
oldstable).  Did you already request CVE IDs?

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
Url : http://lists.ucc.gu.uwa.edu.au/pipermail/dropbear/attachments/20170519/c302775f/attachment.sig 

More information about the Dropbear mailing list