-
dropbear (2017.75-2) unstable; urgency=low
* dropbear-initramfs:
+ init-bottom script: in the init-bottom script, send a SIGTERM to all
process groups the leader of which is a child of the dropbear process,
to ensure that all children of all SSH sessions are terminated (before
dropear itself is killed).
+ postinst: don't print the reminder to check "ip=" boot parameter if it's
already found in /proc/cmdline.
+ premount script: log to standard error if the 'debug' environment
variable is set.
+ premount script: boot method (local or NFS) is in environment variable
'BOOT' not 'boot'.
+ On local mounts, don't bring down the network before dropbear was
terminated (at init-bottom stage, not at local-bottom stage). Bringing
down the network while an SSH session is still active makes clients hang
until the connection times out.
+ init-bottom script: log which network interfaces are being brought down.
+ init-bottom script: replace xargs(1) with a while loop as it's
apparently not included in Ubuntu's busybox. (LP: #1652091)
+ Compile with '--disable-bundled-libtom' to use system libtomcrypt /
libtommath. (Closes: #870035)
* debian/control: bump Standards-Version to 4.0.0 (no changes necessary).
* debian/{control,dropbear-bin.install,dropbear-bin.manpages}: apply
wrap-and-sort(1).
-- Guilhem Moulin <email address hidden> Tue, 08 Aug 2017 21:59:06 +0200
-
dropbear (2017.75-1) unstable; urgency=medium
* New upstream release. Remove quilt patches CVE-2017-9078 and
CVE-2017-9079, previously backported from 2017.75 to 2016.74-5.
-- Guilhem Moulin <email address hidden> Sat, 17 Jun 2017 12:36:10 +0200
-
dropbear (2016.74-5) unstable; urgency=high
* Backport security fixes from 2017.75 (closes: #862970):
- CVE-2017-9078: Fix double-free in server TCP listener cleanup
A double-free in the server could be triggered by an authenticated user
if dropbear is running with -a (Allow connections to forwarded ports
from any host) This could potentially allow arbitrary code execution as
root by an authenticated user.
- CVE-2017-9079: Fix information disclosure with ~/.ssh/authorized_keys
symlink.
Dropbear parsed authorized_keys as root, even if it were a symlink. The
fix is to switch to user permissions when opening authorized_keys
A user could symlink their ~/.ssh/authorized_keys to a root-owned file
they couldn't normally read. If they managed to get that file to contain
valid authorized_keys with command= options it might be possible to read
other contents of that file.
This information disclosure is to an already authenticated user.
-- Guilhem Moulin <email address hidden> Fri, 19 May 2017 23:41:21 +0200
-
dropbear (2016.74-4) unstable; urgency=medium
* Also trigger maintainer scripts when upgrading from dropbear
2014.65-1+deb8u1, by changing the upper bound from 2014.65-1 to
2015.68-1~. (Closes: #862544)
-- Guilhem Moulin <email address hidden> Sun, 14 May 2017 16:56:40 +0200
-
dropbear (2016.74-3) unstable; urgency=high
* debian/copyright: add missing paragraphs to match upstream's LICENSE file.
(Closes: #860406.)
-- Guilhem Moulin <email address hidden> Sun, 16 Apr 2017 12:22:56 +0200
-
dropbear (2016.74-2) unstable; urgency=low
* Tolerate lack of boot script config file /etc/dropbear-initramfs/config.
This can happen when dropbear-initramfs is upgraded (from <2016.73-1)
along with the kernel, and the kernel is configured before
dropbear-initramfs, cf. #841503.
* debian/control: Add Depends: lsb-base (>= 3.0-6) for dropbear-run.
* debian/README.Debian, debian/copyright: upgrade the homepage URI to
https://.
-- Guilhem Moulin <email address hidden> Tue, 13 Dec 2016 23:44:50 +0100