Gentoo Bug 168847 - net-misc/dropbear (version < 0.49) hostkey mismatch weakness (CVE-2007-1099)

First Last Prev Next No search results available Search page Enter new bug

Bug#:	168847
Alias:
Product:
Component:
Status:	RESOLVED
Resolution:	FIXED
Assigned To:	Gentoo Security <security@gentoo.org>

Hardware:
OS:
Version:
Priority:
Severity:

Reporter:	Pierre-Yves Rofes <py@gentoo.org>
Add CC:
CC:

URL:
Summary:
Status Whiteboard:
Keywords:

Flags:			Requestee:
	Pending
	Approved
	Assigned_To		()

Filename	Description	Type	Creator	Created	Size	Actions
Create a New Attachment (proposed patch, testcase, etc.)						View All

Bug 168847 depends on:			Show dependency tree Show dependency graph
Bug 168847 blocks:			Show dependency tree Show dependency graph

Additional Comments: (this is where you put emerge --info)

Add to CC list

Leave as RESOLVED FIXED
Reopen bug
Mark bug as VERIFIED
Mark bug as CLOSED

View Bug Activity | Format For Printing | XML | Clone This Bug

Description:

Opened: 2007-03-01 10:31 0000

A weakness has been reported in Dropbear, which can be exploited by
malicious people to bypass certain security restrictions.

The weakness is caused due to Dropbear not warning users sufficiently
if a hostkey changed, which makes it easier for attackers to e.g.
conduct man-in-the-middle attacks.

The weakness is reported in versions prior to 0.49.

SOLUTION:
Update to version 0.49.

------- Comment #1 From SpanKY 2007-03-02 17:49:36 0000 -------

0.49 is already in the tree

------- Comment #2 From Stefan Cornelius (RETIRED) 2007-03-02 19:34:37 0000 -------

arches, please test and stable 0.49, thanks

------- Comment #3 From Christian Faulhammer 2007-03-02 20:22:04 0000 -------

x86 stable

------- Comment #4 From Jeroen Roovers 2007-03-02 22:16:20 0000 -------

Stable for HPPA.

------- Comment #5 From Tobias Scherbaum 2007-03-03 12:51:17 0000 -------

ppc stable

------- Comment #6 From Steve Dibb 2007-03-03 14:20:36 0000 -------

amd64 stable

------- Comment #7 From Jason Wever (RETIRED) 2007-03-04 21:50:51 0000 -------

SPARC stable

------- Comment #8 From Jose Luis Rivero (yoswink) 2007-03-05 23:45:07 0000 -------

alpha stable

------- Comment #9 From Matthias Geerdsen 2007-03-07 15:56:46 0000 -------

all security supported arches marked stable

ready for glsa voting

------- Comment #10 From Alexander Færøy 2007-03-07 17:28:39 0000 -------

Stable on MIPS.

------- Comment #11 From Stefan Cornelius (RETIRED) 2007-03-07 18:49:23 0000 -------

previous dropbear versions asked for confirmation if a hostkey changed, so this
is only a security enhancement - imho not enough for a glsa:

voting no

------- Comment #12 From Raphael Marichez 2007-03-09 22:37:14 0000 -------

voting no too. Closing. Feel free to reopen if you disagree.

------- Comment #13 From Raúl Porcel 2007-03-31 18:30:30 0000 -------

ia64 stable

First Last Prev Next No search results available Search page Enter new bug

Bugzilla Bug 168847

net-misc/dropbear (version < 0.49) hostkey mismatch weakness (CVE-2007-1099)

Last modified: 2007-06-24 23:37:42 0000