From ${URL} : Description A weakness and a vulnerability have been reported in Dropbear SSH Server, which can be exploited by malicious people to disclose certain sensitive information and cause a DoS (Denial of Service). 1) A timing error when authenticating users can be exploited to e.g. enumerate valid user names. 2) An error in the "buf_decompress()" function (packet.c) when handling compressed payloads can be exploited to e.g. exhaust available memory resources by sending a specially crafted packet. The weakness and the vulnerability are reported in versions prior to 2013.59. Solution: Update to version 2013.59. Provided and/or discovered by: The vendor credits Logan Lamb. Original Advisory: https://matt.ucc.asn.au/dropbear/CHANGES @maintainer(s): after the bump, in case we need to stabilize the package, please say explicitly if it is ready for the stabilization or not.
Commit message: Version bump http://sources.gentoo.org/net-misc/dropbear/dropbear-2013.59.ebuild?rev=1.1 http://sources.gentoo.org/net-misc/dropbear/files/dropbear-2013.59-exec-prefix.patch?rev=1.1 http://sources.gentoo.org/net-misc/dropbear/files/dropbear-2013.59-scp-inst.patch?rev=1.1
(In reply to SpanKY from comment #1) > Commit message: Version bump > http://sources.gentoo.org/net-misc/dropbear/dropbear-2013.59.ebuild?rev=1.1 > http://sources.gentoo.org/net-misc/dropbear/files/dropbear-2013.59-exec- > prefix.patch?rev=1.1 > http://sources.gentoo.org/net-misc/dropbear/files/dropbear-2013.59-scp-inst. > patch?rev=1.1 Good. Is it ready for stabilization? If yes - please CC arches, thanks.
CVE-2013-4434 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4434): Dropbear SSH Server before 2013.59 generates error messages for a failed logon attempt with different time delays depending on whether the user account exists, which allows remote attackers to discover valid usernames. CVE-2013-4421 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4421): The buf_decompress function in packet.c in Dropbear SSH Server before 2013.59 allows remote attackers to cause a denial of service (memory consumption) via a compressed packet that has a large size when it is decompressed.
no response in 30 days. Arches, please test and mark stable: net-misc/dropbear-2013.60 target KEYWORDS="alpha amd64 arm hppa ia64 ppc ppc64 sparc x86"
amd64 stable
x86 stable
ppc stable
ppc64 stable
Stable for HPPA.
alpha stable
arm stable
ia64 stable. Maintainer(s), please cleanup. Security, please vote.
Ping! Maintainer(s), please drop the vulnerable version.
Shouldn't this bug be closed?
Fabian, not yet. Cleanup was done but there still needs to be a GLSA process. Security, please vote.
Thanks for your work GLSA vote: no
GLSA vote: no. Closing as [noglsa].