[SECURITY] [DLA 3187-1] dropbear security update

To: debian-lts-announce@lists.debian.org
Subject: [SECURITY] [DLA 3187-1] dropbear security update
From: Utkarsh Gupta <guptautkarsh2102@gmail.com>
Date: Mon, 14 Nov 2022 03:34:45 +0530
Message-id: <[🔎] CAPP0f97NrSxPzonXN62zJH0SyC180A+-GxFCDWtpYCkXL_JYKQ@mail.gmail.com>
Mail-followup-to: debian-lts@lists.debian.org
Reply-to: debian-lts@lists.debian.org

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

- -----------------------------------------------------------------------
Debian LTS Advisory DLA-3187-1              debian-lts@lists.debian.org
https://www.debian.org/lts/security/                      Utkarsh Gupta
November 14, 2022                           https://wiki.debian.org/LTS
- -----------------------------------------------------------------------

Package        : dropbear
Version        : 2018.76-5+deb10u2
CVE ID         : CVE-2021-36369

An issue was discovered in Dropbear, a relatively small SSH server and
client. Due to a non-RFC-compliant check of the available authentication
methods in the client-side SSH code, it was possible for an SSH server
to change the login process in its favor. This attack can bypass
additional security measures such as FIDO2 tokens or SSH-Askpass. Thus,
it allows an attacker to abuse a forwarded agent for logging on to
another server unnoticed.

For Debian 10 buster, this problem has been fixed in version
2018.76-5+deb10u2.

We recommend that you upgrade your dropbear packages.

For the detailed security status of dropbear please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/dropbear

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEbJ0QSEqa5Mw4X3xxgj6WdgbDS5YFAmNxacIACgkQgj6WdgbD
S5b5QA//ccWLlO3tWt+By8byK8Ij/JDMFJLYqyUeactXN5LZPU8auiTLvt9KP+U1
8ONBg1ag/p3RDeViuMOL84++jKuOZl3q5av1lNPrylmme/4k+VfkXc1/t+dTr96e
bvXx3Kqz9EvmIylEoe+lqonlsnQYJGKY8UM1x85o7tqMb5Xe9sY4dLroQFR3EMuV
1+g/hgyuxyd9i35CBq4L+YhQOZTf5Pl5dbv7hYwInCMgiJCuNQNQZxW4lObf/zGh
r8xCJnJsMHVsm6KGzSEuA3AtsJt6WGMxU4jtimpSy/XUNlHUP494mcQA4GEUSXbQ
+82j+BIgAQ6Fh4AzsEXKH51N5m+KHeex4i9nhwbke+IiByQll1Ro+jlHZsxP4Ptx
pKug07pYrrJDvN2ClBjcs5nKHjibPj1wehmxVX94mxKaktPut5w+3Bjwm2Id0gbX
z+jBIWlEUR3644AFQcr14gizekiKmMfui/4/Cn2/RIBQ0qofwKW0JhDe0Jsz+kP8
hLs9ryR+G9fBKC/c3vBhkgkbkvruHXRuUpJGl7XIL0PVL9WCCAo6igXWIsqY3WeJ
B7wDyijY4xhf845qwUifd4qZzR+26N1A3vF+RS+Vhd7mYi9Gx8Wmg0izvOOal9GE
8mKu5O/SPa7Q1YsOo0sd+RG9U3/InX96pwZ7uV6I3NRtB4PZD70=
=Sjht
-----END PGP SIGNATURE-----

Reply to:

Prev by Date: [SECURITY] [DLA 3188-1] sysstat security update
Next by Date: [SECURITY] [DLA 3187-1] dropbear security update
Previous by thread: [SECURITY] [DLA 3188-1] sysstat security update
Next by thread: [SECURITY] [DLA 3187-1] dropbear security update
Index(es):
- Date
- Thread