Accepted dropbear 2016.74-5 (source amd64 all) into unstable

To: debian-devel-changes@lists.debian.org
Subject: Accepted dropbear 2016.74-5 (source amd64 all) into unstable
From: Guilhem Moulin <guilhem@debian.org>
Date: Fri, 19 May 2017 22:18:45 +0000
Message-id: <[🔎] E1dBqEP-000CPo-IG@fasolo.debian.org>
Mail-followup-to: debian-devel@lists.debian.org
Reply-to: debian-devel@lists.debian.org

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Fri, 19 May 2017 23:41:21 +0200
Source: dropbear
Binary: dropbear-bin dropbear-run dropbear-initramfs dropbear
Architecture: source amd64 all
Version: 2016.74-5
Distribution: unstable
Urgency: high
Maintainer: Guilhem Moulin <guilhem@debian.org>
Changed-By: Guilhem Moulin <guilhem@debian.org>
Description:
 dropbear   - transitional dummy package for dropbear-{run,initramfs}
 dropbear-bin - lightweight SSH2 server and client - command line tools
 dropbear-initramfs - lightweight SSH2 server and client - initramfs integration
 dropbear-run - lightweight SSH2 server and client - startup scripts
Closes: 862970
Changes:
 dropbear (2016.74-5) unstable; urgency=high
 .
   * Backport security fixes from 2017.75 (closes: #862970):
     - CVE-2017-9078: Fix double-free in server TCP listener cleanup
       A double-free in the server could be triggered by an authenticated user
       if dropbear is running with -a (Allow connections to forwarded ports
       from any host) This could potentially allow arbitrary code execution as
       root by an authenticated user.
     - CVE-2017-9079: Fix information disclosure with ~/.ssh/authorized_keys
       symlink.
       Dropbear parsed authorized_keys as root, even if it were a symlink. The
       fix is to switch to user permissions when opening authorized_keys
       A user could symlink their ~/.ssh/authorized_keys to a root-owned file
       they couldn't normally read. If they managed to get that file to contain
       valid authorized_keys with command= options it might be possible to read
       other contents of that file.
       This information disclosure is to an already authenticated user.
Checksums-Sha1:
 5ff95c319707373b30b43e3132df947d54a24ff3 2134 dropbear_2016.74-5.dsc
 ffd6dbe1eaa1056e6841afd5924e00e358272c63 22072 dropbear_2016.74-5.debian.tar.xz
 f15c6d827a8ba1d9bcfc6ffe3893b34011b5dfca 1252406 dropbear-bin-dbgsym_2016.74-5_amd64.deb
 708ed45be0f41276d00dd1899f317ba377d43596 183340 dropbear-bin_2016.74-5_amd64.deb
 133975e25e11b193c6b5d446a2503d8d2acbe581 36564 dropbear-initramfs_2016.74-5_all.deb
 716cd21d211d82d6ca1d2609906578c36857274f 34152 dropbear-run_2016.74-5_all.deb
 4ceacd70c534deaacbd89f37f6bed347c3a2f162 31838 dropbear_2016.74-5_all.deb
 41ae76b614cad65cbab12a9e83dfd453b72cdb8d 6549 dropbear_2016.74-5_amd64.buildinfo
Checksums-Sha256:
 6e0625a8e52c3a3f6dd5fd45730bbe8ab6c48cbab0a309a8804996bdda59b722 2134 dropbear_2016.74-5.dsc
 719b0b7a84053062d35e02c8811d415f2178f032c1a0e584918e98eb23a62b8a 22072 dropbear_2016.74-5.debian.tar.xz
 fae772c49c7b751ad2cb1cef7d959de5b7d1c667d7254dd5925107dcd945afcd 1252406 dropbear-bin-dbgsym_2016.74-5_amd64.deb
 00d9135e8a1d652262662420533a5de3516490863d3ab1bb98a9234fa0ff0d63 183340 dropbear-bin_2016.74-5_amd64.deb
 9685107d7af4955d5b802f86fff9b326a5e9b437ede3e03da7f8c3156c895b1c 36564 dropbear-initramfs_2016.74-5_all.deb
 169145a775fc747f97252d29b468c3637aa946d6715062b7910bea8ade2be789 34152 dropbear-run_2016.74-5_all.deb
 557299fb6f8c27ba1f0481d0ca82db301133e4dfb32582f8133ddc9894a3a3e9 31838 dropbear_2016.74-5_all.deb
 948113dcb43d36ac1d3dc150d8c73ae52bb1aa98f0d60a62ef3c53fe211990dd 6549 dropbear_2016.74-5_amd64.buildinfo
Files:
 c9d5b3307f283692f2014f1c62edf5b8 2134 net optional dropbear_2016.74-5.dsc
 c092761dce400b84472e066506787895 22072 net optional dropbear_2016.74-5.debian.tar.xz
 4017fe6ad92831c93bc7b7928e8e86eb 1252406 debug extra dropbear-bin-dbgsym_2016.74-5_amd64.deb
 6a84c552f1e4eb28ca9e54d9e26284fb 183340 net optional dropbear-bin_2016.74-5_amd64.deb
 6e7e3bc503b93199ebaf41896170a73b 36564 net optional dropbear-initramfs_2016.74-5_all.deb
 9a745a9b83c7718411930514ab9eaeb8 34152 net optional dropbear-run_2016.74-5_all.deb
 935f1840ef24d1d7dfc20f8219101ff9 31838 oldlibs extra dropbear_2016.74-5_all.deb
 f30f95df9e12015bcee4970848fff63b 6549 net optional dropbear_2016.74-5_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEERpy6p3b9sfzUdbME05pJnDwhpVIFAlkfaIoACgkQ05pJnDwh
pVKO/RAAskdu3/wcPfWwuyn+AhyWhSncSUQrSNf12brPXLjB/BBAPgQfBN+P+Bx+
a4B4hLgQ5bQzy/fzSm8tbKunNsWY2i1/wHZrV3YJqANAkth2wL1n/2XDJPTX5b93
+UlwIavWG1m1srC4XkP28yfp5Lb9xntsuKdF5BKpk49ws2WCbK5L9zDVhfzUgVf0
hgRacBFHG6E7Ggya16YF96zHmQGgsdUWxxUEcmJrGeHY1PN4wjROqlg+iXb7cU9D
mTeovc8UaCH1G44PoWUF/TEPNYwyFuUPQUPjjWIrBKMdzt8+x3aowT7nyKu20XnY
CA0bGpSkxcxh94Vr7zCxQ0PX1D09WLsP/Gjvu8DXtLm9jKnEimT4xIwYX1RrUTbY
RGjqGRCSjyvQyo1xMB3eLU56e/2kW50JsxNpL6DaGo8KBe8IRZUh4sFeMtL8vV9p
SvHgdp6SFyARjF2P2whGYzXbhq8z4y4VNjkOVO5mRFfLuWUik7ulyqHQQcrlUumg
/5d1MGgKJJ2Lkua67by9Jcxulx9gUhTa4c8EnLifmmWCS1Spyv8sELNUHYHoET07
lULlRpOAnIiTthDVdUGxqckXXUXEYyXctT7HfNBwhl3cH0JXuZBcJh0qPIrCgnYJ
8xLd2JyLRakNu7RP1s5nyEmx61Vg7hnwmXBGzzHNN08PExevMuE=
=qMgp
-----END PGP SIGNATURE-----

Reply to:

Prev by Date: Accepted prometheus 1.6.2+ds-1 (source amd64) into experimental
Next by Date: Accepted prometheus-postgres-exporter 0.2.0+ds-1 (source amd64) into unstable
Previous by thread: Accepted prometheus 1.6.2+ds-1 (source amd64) into experimental
Next by thread: Accepted prometheus-postgres-exporter 0.2.0+ds-1 (source amd64) into unstable
Index(es):
- Date
- Thread