[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: dropbear 2014.65-1+deb8u3 to fix CVE-2018-15599



Hi Guilhem,

On Fri, Aug 24, 2018 at 03:15:10AM +0200, Guilhem Moulin wrote:
> dropbear 2014.65-1+deb8u2 from jessie-security is vulnerable to
> CVE-2018-15599:
> 
>     The recv_msg_userauth_request function in svr-auth.c in Dropbear
>     through 2018.76 is prone to a user enumeration vulnerability because
>     username validity affects how fields in SSH_MSG_USERAUTH messages
>     are handled, a similar issue to CVE-2018-15473 in an unrelated
>     codebase.
> 
> I backported upstream changeset 1616:5d2d1021ca00 [0] and attached a
> debdiff against 2014.65-1+deb8u2.dsc.  I did check that pubkey and
> password authentication still work :-)  (We're building without PAM
> support, so patching svr-authpam.c isn't needed, but I guess it's better
> to stick to the upstream patch.)

cool cool!

> For convenience, you can also find the source package at
>     dget -x https://people.debian.org/~guilhem/tmp/dropbear_2014.65-1+deb8u3.dsc

nice. I'll sponsor your upload shortly and will then also send a DLA.

Thanks for providing the fixed package!


-- 
cheers,
	Holger

-------------------------------------------------------------------------------
                    holger@(debian|reproducible-builds).org

Attachment: signature.asc
Description: PGP signature


Reply to: