[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Accepted dropbear 2014.65-1+deb8u2 (source amd64) into oldstable-proposed-updates->oldstable-new, oldstable-proposed-updates

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Fri, 19 May 2017 12:47:40 +0200
Source: dropbear
Binary: dropbear
Architecture: source amd64
Version: 2014.65-1+deb8u2
Distribution: jessie-security
Urgency: high
Maintainer: Guilhem Moulin <guilhem@debian.org>
Changed-By: Guilhem Moulin <guilhem@debian.org>
Description:
 dropbear   - lightweight SSH2 server and client
Closes: 862970
Changes:
 dropbear (2014.65-1+deb8u2) stable-security; urgency=high
 .
   * Backport security fixes from 2017.75 (closes: #862970):
     - Fix double-free in server TCP listener cleanup
       A double-free in the server could be triggered by an authenticated user
       if dropbear is running with -a (Allow connections to forwarded ports
       from any host) This could potentially allow arbitrary code execution as
       root by an authenticated user.
     - Fix information disclosure with ~/.ssh/authorized_keys symlink.
       Dropbear parsed authorized_keys as root, even if it were a symlink. The
       fix is to switch to user permissions when opening authorized_keys
       A user could symlink their ~/.ssh/authorized_keys to a root-owned file
       they couldn't normally read. If they managed to get that file to contain
       valid authorized_keys with command= options it might be possible to read
       other contents of that file.
       This information disclosure is to an already authenticated user.
Checksums-Sha1:
 cbaa65607d2a25d0bda3b9398cf8871f48ab6d7e 1720 dropbear_2014.65-1+deb8u2.dsc
 a15c03c89c405a34894322f158298bff034a138e 1858657 dropbear_2014.65.orig.tar.gz
 8b898e0bfdd1fd2ae50a3f750e88929d3db4d7f9 13872 dropbear_2014.65-1+deb8u2.diff.gz
 eb7d08872fa2016a87f3c5fdf1d72433fd145808 180526 dropbear_2014.65-1+deb8u2_amd64.deb
Checksums-Sha256:
 292ba94e3c415fd3f73cf09b6250c577ce86ba60a44bb499d8d9f27b5a0e456b 1720 dropbear_2014.65-1+deb8u2.dsc
 134259f52550d08353669dce1bc610a2cc2861949f9e52f924e6d096b1959d59 1858657 dropbear_2014.65.orig.tar.gz
 83fb1485b409ba8308245db5595f129e2a85ad23ba1e7a5c4e11872536da1aa0 13872 dropbear_2014.65-1+deb8u2.diff.gz
 1e3259cfee5e284ca7c6ba45a73e38d28ffbcf7ad0881b5a4267632fbbd43d3a 180526 dropbear_2014.65-1+deb8u2_amd64.deb
Files:
 19a02bc26b380d2e33e3db1f9db08671 1720 net optional dropbear_2014.65-1+deb8u2.dsc
 e11ed8597693c0165b72606d627df7d1 1858657 net optional dropbear_2014.65.orig.tar.gz
 eb02a92525699743dc01ea6e9a92eba0 13872 net optional dropbear_2014.65-1+deb8u2.diff.gz
 5cd30e769773ea393a6bfd03220b55cd 180526 net optional dropbear_2014.65-1+deb8u2_amd64.deb

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEERpy6p3b9sfzUdbME05pJnDwhpVIFAlkfBFQACgkQ05pJnDwh
pVJJ9A//ZxoV24ZRKGF56Y3eB8e8G2fbOhpBHxJoirhw6415/LZYFC0RlcCMUbsg
NHM8V3pTq34j0jpyOEaub4Caj2Bx8SUM5w7l6pnkYspNtsGcEzj+9gLHSM0ycRTt
+7SshrXQd3qkDcXyOKsgdC7YcOkVGYDoIToAzFyfkm8HPGNqpmubnoiKN8Cc4qYw
wC8pwuDDKgor4/LLv0/Gv2jaFqPllNsVjSkv6+pw/+XNpkUXjissyYE074CSGyJa
WOfGmUN8UytNmgpu0LvGK/XxG0zMqKQJg8/NzfDi7Kp29YQ5c8guXJRu6cyKb2oI
PhQPmSh4uAToQ6whVH9f+p7zX+gs7sAW7i86hAD42veflHjclQqHdsYEW55pgs1x
adxSc0UnHK6bL7VfD1ndR5/hKVTzCoVptTDLbif9hYA8OO3TmxxMwcLamC8Cdcwb
MOu9vX1d3JbsrsmPiLazpfDL6mxxCC3RGxAYKMmLMJOSGV2SvMUFBEcJbyUB1eam
kBx5gjPzprhc8HMuf9NKtUvRj/+9V6nNR0uQq8vfy5adIaJG6/DmanAMszBwsn9p
zSorUNIf+giVoyXmtgpoQL+G/zC3dWv8bmJ/iVoOJ7Nq4GvQ6EuHAQok8suzoyWY
wSdtSNeMB8lVPWia7A6ou85bP+a0ES4QYeIp+RJyeSNUaO6zwkA=
=Cxoe
-----END PGP SIGNATURE-----
Reply to: