comparison CHANGES @ 1737:8b27de2c92ee

Change secure.ucc.asn.au/hg to hg.ucc.asn.au
author Matt Johnston <matt@ucc.asn.au>
date Tue, 28 Jul 2020 18:53:48 +0800
parents cddc90de1b6f
children 4b984c42372d
comparison
equal deleted inserted replaced
1736:0c31aedc3124 1737:8b27de2c92ee
213 - Security: Fix double-free in server TCP listener cleanup 213 - Security: Fix double-free in server TCP listener cleanup
214 A double-free in the server could be triggered by an authenticated user if 214 A double-free in the server could be triggered by an authenticated user if
215 dropbear is running with -a (Allow connections to forwarded ports from any host) 215 dropbear is running with -a (Allow connections to forwarded ports from any host)
216 This could potentially allow arbitrary code execution as root by an authenticated user. 216 This could potentially allow arbitrary code execution as root by an authenticated user.
217 Affects versions 2013.56 to 2016.74. Thanks to Mark Shepard for reporting the crash. 217 Affects versions 2013.56 to 2016.74. Thanks to Mark Shepard for reporting the crash.
218 CVE-2017-9078 https://secure.ucc.asn.au/hg/dropbear/rev/c8114a48837c 218 CVE-2017-9078 https://hg.ucc.asn.au/dropbear/rev/c8114a48837c
219 219
220 - Security: Fix information disclosure with ~/.ssh/authorized_keys symlink. 220 - Security: Fix information disclosure with ~/.ssh/authorized_keys symlink.
221 Dropbear parsed authorized_keys as root, even if it were a symlink. The fix 221 Dropbear parsed authorized_keys as root, even if it were a symlink. The fix
222 is to switch to user permissions when opening authorized_keys 222 is to switch to user permissions when opening authorized_keys
223 223
225 couldn't normally read. If they managed to get that file to contain valid 225 couldn't normally read. If they managed to get that file to contain valid
226 authorized_keys with command= options it might be possible to read other 226 authorized_keys with command= options it might be possible to read other
227 contents of that file. 227 contents of that file.
228 This information disclosure is to an already authenticated user. 228 This information disclosure is to an already authenticated user.
229 Thanks to Jann Horn of Google Project Zero for reporting this. 229 Thanks to Jann Horn of Google Project Zero for reporting this.
230 CVE-2017-9079 https://secure.ucc.asn.au/hg/dropbear/rev/0d889b068123 230 CVE-2017-9079 https://hg.ucc.asn.au/dropbear/rev/0d889b068123
231 231
232 - Generate hostkeys with dropbearkey atomically and flush to disk with fsync 232 - Generate hostkeys with dropbearkey atomically and flush to disk with fsync
233 Thanks to Andrei Gherzan for a patch 233 Thanks to Andrei Gherzan for a patch
234 234
235 - Fix out of tree builds with bundled libtom 235 - Fix out of tree builds with bundled libtom
245 245
246 A dbclient user who can control username or host arguments could potentially 246 A dbclient user who can control username or host arguments could potentially
247 run arbitrary code as the dbclient user. This could be a problem if scripts 247 run arbitrary code as the dbclient user. This could be a problem if scripts
248 or webpages pass untrusted input to the dbclient program. 248 or webpages pass untrusted input to the dbclient program.
249 CVE-2016-7406 249 CVE-2016-7406
250 https://secure.ucc.asn.au/hg/dropbear/rev/b66a483f3dcb 250 https://hg.ucc.asn.au/dropbear/rev/b66a483f3dcb
251 251
252 - Security: dropbearconvert import of OpenSSH keys could run arbitrary code as 252 - Security: dropbearconvert import of OpenSSH keys could run arbitrary code as
253 the local dropbearconvert user when parsing malicious key files 253 the local dropbearconvert user when parsing malicious key files
254 CVE-2016-7407 254 CVE-2016-7407
255 https://secure.ucc.asn.au/hg/dropbear/rev/34e6127ef02e 255 https://hg.ucc.asn.au/dropbear/rev/34e6127ef02e
256 256
257 - Security: dbclient could run arbitrary code as the local dbclient user if 257 - Security: dbclient could run arbitrary code as the local dbclient user if
258 particular -m or -c arguments are provided. This could be an issue where 258 particular -m or -c arguments are provided. This could be an issue where
259 dbclient is used in scripts. 259 dbclient is used in scripts.
260 CVE-2016-7408 260 CVE-2016-7408
261 https://secure.ucc.asn.au/hg/dropbear/rev/eed9376a4ad6 261 https://hg.ucc.asn.au/dropbear/rev/eed9376a4ad6
262 262
263 - Security: dbclient or dropbear server could expose process memory to the 263 - Security: dbclient or dropbear server could expose process memory to the
264 running user if compiled with DEBUG_TRACE and running with -v 264 running user if compiled with DEBUG_TRACE and running with -v
265 CVE-2016-7409 265 CVE-2016-7409
266 https://secure.ucc.asn.au/hg/dropbear/rev/6a14b1f6dc04 266 https://hg.ucc.asn.au/dropbear/rev/6a14b1f6dc04
267 267
268 The security issues were reported by an anonymous researcher working with 268 The security issues were reported by an anonymous researcher working with
269 Beyond Security's SecuriTeam Secure Disclosure www.beyondsecurity.com/ssd.html 269 Beyond Security's SecuriTeam Secure Disclosure www.beyondsecurity.com/ssd.html
270 270
271 - Fix port forwarding failure when connecting to domains that have both 271 - Fix port forwarding failure when connecting to domains that have both
307 307
308 2016.72 - 9 March 2016 308 2016.72 - 9 March 2016
309 309
310 - Validate X11 forwarding input. Could allow bypass of authorized_keys command= restrictions, 310 - Validate X11 forwarding input. Could allow bypass of authorized_keys command= restrictions,
311 found by github.com/tintinweb. Thanks for Damien Miller for a patch. CVE-2016-3116 311 found by github.com/tintinweb. Thanks for Damien Miller for a patch. CVE-2016-3116
312 https://secure.ucc.asn.au/hg/dropbear/rev/a3e8389e01ff 312 https://hg.ucc.asn.au/dropbear/rev/a3e8389e01ff
313 313
314 2015.71 - 3 December 2015 314 2015.71 - 3 December 2015
315 315
316 - Fix "bad buf_incrpos" when data is transferred, broke in 2015.69 316 - Fix "bad buf_incrpos" when data is transferred, broke in 2015.69
317 317
588 Patch from Martin Donnelly 588 Patch from Martin Donnelly
589 589
590 - Limit the size of decompressed payloads, avoids memory exhaustion denial 590 - Limit the size of decompressed payloads, avoids memory exhaustion denial
591 of service 591 of service
592 Thanks to Logan Lamb for reporting and investigating it. CVE-2013-4421 592 Thanks to Logan Lamb for reporting and investigating it. CVE-2013-4421
593 https://secure.ucc.asn.au/hg/dropbear/rev/0bf76f54de6f 593 https://hg.ucc.asn.au/dropbear/rev/0bf76f54de6f
594 594
595 - Avoid disclosing existence of valid users through inconsistent delays 595 - Avoid disclosing existence of valid users through inconsistent delays
596 Thanks to Logan Lamb for reporting. CVE-2013-4434 596 Thanks to Logan Lamb for reporting. CVE-2013-4434
597 https://secure.ucc.asn.au/hg/dropbear/rev/d7784616409a 597 https://hg.ucc.asn.au/dropbear/rev/d7784616409a
598 598
599 - Update config.guess and config.sub for newer architectures 599 - Update config.guess and config.sub for newer architectures
600 600
601 - Avoid segfault in server for locked accounts 601 - Avoid segfault in server for locked accounts
602 602
695 authorized_keys restrictions are used. Could allow arbitrary code execution 695 authorized_keys restrictions are used. Could allow arbitrary code execution
696 or bypass of the command="..." restriction to an authenticated user. 696 or bypass of the command="..." restriction to an authenticated user.
697 This bug affects releases 0.52 onwards. Ref CVE-2012-0920. 697 This bug affects releases 0.52 onwards. Ref CVE-2012-0920.
698 Thanks to Danny Fullerton of Mantor Organization for reporting 698 Thanks to Danny Fullerton of Mantor Organization for reporting
699 the bug. 699 the bug.
700 https://secure.ucc.asn.au/hg/dropbear/rev/818108bf7749 700 https://hg.ucc.asn.au/dropbear/rev/818108bf7749
701 701
702 - Compile fix, only apply IPV6 socket options if they are available in headers 702 - Compile fix, only apply IPV6 socket options if they are available in headers
703 Thanks to Gustavo Zacarias for the patch 703 Thanks to Gustavo Zacarias for the patch
704 704
705 - Overwrite session key memory on exit 705 - Overwrite session key memory on exit
739 message informing what the port is, thanks to Ali Onur Uyar. 739 message informing what the port is, thanks to Ali Onur Uyar.
740 740
741 - New version numbering scheme. 741 - New version numbering scheme.
742 742
743 Source repository has now migrated to Mercurial at 743 Source repository has now migrated to Mercurial at
744 https://secure.ucc.asn.au/hg/dropbear/graph/default 744 https://hg.ucc.asn.au/dropbear/graph/default
745 745
746 0.53.1 - Wednesday 2 March 2011 746 0.53.1 - Wednesday 2 March 2011
747 747
748 - -lcrypt needs to be before object files for static linking 748 - -lcrypt needs to be before object files for static linking
749 749