Debian
dropbear package

dropbear 2014.65-1+deb8u2 source package in Debian

Changelog

dropbear (2014.65-1+deb8u2) stable-security; urgency=high

  * Backport security fixes from 2017.75 (closes: #862970):
    - Fix double-free in server TCP listener cleanup
      A double-free in the server could be triggered by an authenticated user
      if dropbear is running with -a (Allow connections to forwarded ports
      from any host) This could potentially allow arbitrary code execution as
      root by an authenticated user.
    - Fix information disclosure with ~/.ssh/authorized_keys symlink.
      Dropbear parsed authorized_keys as root, even if it were a symlink. The
      fix is to switch to user permissions when opening authorized_keys
      A user could symlink their ~/.ssh/authorized_keys to a root-owned file
      they couldn't normally read. If they managed to get that file to contain
      valid authorized_keys with command= options it might be possible to read
      other contents of that file.
      This information disclosure is to an already authenticated user.

 -- Guilhem Moulin <email address hidden>  Fri, 19 May 2017 12:47:40 +0200

Upload details

Uploaded by:
Guilhem Moulin
Uploaded to:
Jessie
Original maintainer:
Guilhem Moulin
Architectures:
any
Section:
net
Urgency:
Very Urgent

See full publishing history Publishing

Series Pocket Published Component Section
Jessie release main net

Builds

Downloads

File Size SHA-256 Checksum
dropbear_2014.65-1+deb8u2.dsc 1.7 KiB 292ba94e3c415fd3f73cf09b6250c577ce86ba60a44bb499d8d9f27b5a0e456b
dropbear_2014.65.orig.tar.gz 1.8 MiB 134259f52550d08353669dce1bc610a2cc2861949f9e52f924e6d096b1959d59
dropbear_2014.65-1+deb8u2.diff.gz 13.5 KiB 83fb1485b409ba8308245db5595f129e2a85ad23ba1e7a5c4e11872536da1aa0

No changes file available.

Binary packages built by this source