Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 168847 - net-misc/dropbear (version < 0.49) hostkey mismatch weakness (CVE-2007-1099)
Summary: net-misc/dropbear (version < 0.49) hostkey mismatch weakness (CVE-2007-1099)
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High minor (vote)
Assignee: Gentoo Security
URL: http://secunia.com/advisories/24345/
Whiteboard: B4 [noglsa] p-y
Keywords:
Depends on:
Blocks:
 
Reported: 2007-03-01 10:31 UTC by Pierre-Yves Rofes (RETIRED)
Modified: 2007-06-24 23:37 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Pierre-Yves Rofes (RETIRED) gentoo-dev 2007-03-01 10:31:23 UTC 
A weakness has been reported in Dropbear, which can be exploited by
malicious people to bypass certain security restrictions.

The weakness is caused due to Dropbear not warning users sufficiently
if a hostkey changed, which makes it easier for attackers to e.g.
conduct man-in-the-middle attacks.

The weakness is reported in versions prior to 0.49.

SOLUTION:
Update to version 0.49.
Comment 1 SpanKY gentoo-dev 2007-03-02 17:49:36 UTC 
0.49 is already in the tree
Comment 2 Stefan Cornelius (RETIRED) gentoo-dev 2007-03-02 19:34:37 UTC 
arches, please test and stable 0.49, thanks
Comment 3 Christian Faulhammer (RETIRED) gentoo-dev 2007-03-02 20:22:04 UTC 
x86 stable
Comment 4 Jeroen Roovers (RETIRED) gentoo-dev 2007-03-02 22:16:20 UTC 
Stable for HPPA.
Comment 5 Tobias Scherbaum (RETIRED) gentoo-dev 2007-03-03 12:51:17 UTC 
ppc stable
Comment 6 Steve Dibb (RETIRED) gentoo-dev 2007-03-03 14:20:36 UTC 
amd64 stable
Comment 7 Jason Wever (RETIRED) gentoo-dev 2007-03-04 21:50:51 UTC 
SPARC stable
Comment 8 Jose Luis Rivero (yoswink) (RETIRED) gentoo-dev 2007-03-05 23:45:07 UTC 
alpha stable
Comment 9 Matthias Geerdsen (RETIRED) gentoo-dev 2007-03-07 15:56:46 UTC 
all security supported arches marked stable

ready for glsa voting
Comment 10 Alexander Færøy 2007-03-07 17:28:39 UTC 
Stable on MIPS.
Comment 11 Stefan Cornelius (RETIRED) gentoo-dev 2007-03-07 18:49:23 UTC 
previous dropbear versions asked for confirmation if a hostkey changed, so this is only a security enhancement - imho not enough for a glsa:

voting no
Comment 12 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2007-03-09 22:37:14 UTC 
voting no too. Closing. Feel free to reopen if you disagree.
Comment 13 Raúl Porcel (RETIRED) gentoo-dev 2007-03-31 18:30:30 UTC 
ia64 stable