Hi Guilhem,
On Fri, Aug 24, 2018 at 03:15:10AM +0200, Guilhem Moulin wrote:
> dropbear 2014.65-1+deb8u2 from jessie-security is vulnerable to
> CVE-2018-15599:
>
> The recv_msg_userauth_request function in svr-auth.c in Dropbear
> through 2018.76 is prone to a user enumeration vulnerability because
> username validity affects how fields in SSH_MSG_USERAUTH messages
> are handled, a similar issue to CVE-2018-15473 in an unrelated
> codebase.
>
> I backported upstream changeset 1616:5d2d1021ca00 [0] and attached a
> debdiff against 2014.65-1+deb8u2.dsc. I did check that pubkey and
> password authentication still work :-) (We're building without PAM
> support, so patching svr-authpam.c isn't needed, but I guess it's better
> to stick to the upstream patch.)
cool cool!
> For convenience, you can also find the source package at
> dget -x https://people.debian.org/~guilhem/tmp/dropbear_2014.65-1+deb8u3.dsc
nice. I'll sponsor your upload shortly and will then also send a DLA.
Thanks for providing the fixed package!
--
cheers,
Holger
-------------------------------------------------------------------------------
holger@(debian|reproducible-builds).org
Attachment:
signature.asc
Description: PGP signature