Home | Docs | Forums | Lists | Bugs | Planet | Store | GMN | Get Gentoo!
View Bug Activity | Format For Printing | XML | Clone This Bug
Hello, A new version of dropbear is available. It reduces the delays one is likely to get on non-busy, dedicated servers on log-in, mainly caused by waiting for /dev/random. I will attach a patch from the 0.47-r1 ebuild to the 0.48.1-one I successfully used. It removes dropbear-0.47-CVE-2006-0225.patch (see ChangeLog of Dropbear) and renames the tar.bz2 into tar.gz, as no tar.bz2 is available on the Dropbear site. Full ChangeLog: 0.48.1 - Sat 11 March 2006 - Compile fix for scp 0.48 - Thurs 9 March 2006 - Check that the circular buffer is properly empty before closing a channel, which could cause truncated transfers (thanks to Tomas Vanek for helping track it down) - Implement per-IP pre-authentication connection limits (after some poking from Pablo Fernandez) - Exit gracefully if trying to connect to as SSH v1 server (reported by Rushi Lala) - Only read /dev/random once at startup when in non-inetd mode - Allow ctrl-c to close a dbclient password prompt (may still have to press enter on some platforms) - Merged in uClinux patch for inetd mode - Updated to scp from OpenSSH 4.3p2 - fixes a security issue where use of system() could cause users to execute arbitrary code through malformed filenames, ref CVE-2006-0225 Regards, Milan
Created an attachment (id=87637) [edit] Diff from dropbear-0.47-r1.ebuild to my dropbear-0.48.1.ebuild - Rename source files from tar.bz2 to tar.gz (no tar.bz2 available) - Remove dropbear-0.47-CVE-2006-0225.patch (fix is included in this release)
in portage, thanks
