Summary: | <net-misc/dropbear-2013.60: User Enumeration Weakness and Denial of Service Vulnerability (CVE-2013-{4421,4434}) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | CC: | embedded, gentoo |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://secunia.com/advisories/55173/ | ||
Whiteboard: | B3 [noglsa] | ||
Package list: | Runtime testing required: | --- |
Description
Agostino Sarubbo
2013-10-11 18:55:43 UTC
Commit message: Version bump http://sources.gentoo.org/net-misc/dropbear/dropbear-2013.59.ebuild?rev=1.1 http://sources.gentoo.org/net-misc/dropbear/files/dropbear-2013.59-exec-prefix.patch?rev=1.1 http://sources.gentoo.org/net-misc/dropbear/files/dropbear-2013.59-scp-inst.patch?rev=1.1 (In reply to SpanKY from comment #1) > Commit message: Version bump > http://sources.gentoo.org/net-misc/dropbear/dropbear-2013.59.ebuild?rev=1.1 > http://sources.gentoo.org/net-misc/dropbear/files/dropbear-2013.59-exec- > prefix.patch?rev=1.1 > http://sources.gentoo.org/net-misc/dropbear/files/dropbear-2013.59-scp-inst. > patch?rev=1.1 Good. Is it ready for stabilization? If yes - please CC arches, thanks. CVE-2013-4434 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4434): Dropbear SSH Server before 2013.59 generates error messages for a failed logon attempt with different time delays depending on whether the user account exists, which allows remote attackers to discover valid usernames. CVE-2013-4421 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4421): The buf_decompress function in packet.c in Dropbear SSH Server before 2013.59 allows remote attackers to cause a denial of service (memory consumption) via a compressed packet that has a large size when it is decompressed. no response in 30 days. Arches, please test and mark stable: net-misc/dropbear-2013.60 target KEYWORDS="alpha amd64 arm hppa ia64 ppc ppc64 sparc x86" amd64 stable x86 stable ppc stable ppc64 stable Stable for HPPA. alpha stable arm stable ia64 stable. Maintainer(s), please cleanup. Security, please vote. Ping! Maintainer(s), please drop the vulnerable version. Shouldn't this bug be closed? Fabian, not yet. Cleanup was done but there still needs to be a GLSA process. Security, please vote. Thanks for your work GLSA vote: no GLSA vote: no. Closing as [noglsa]. |