Summary: | <net-misc/dropbear-2012.55 SSH server use-after-free vulnerability (CVE-2012-0920) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Michael Harrison <n0idx80> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | major | CC: | embedded, kfm |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://seclists.org/fulldisclosure/2012/Feb/403 | ||
Whiteboard: | B1 [glsa] | ||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | |||
Bug Blocks: | 328409 |
Description
Michael Harrison
2012-02-24 15:46:51 UTC
in the tree Thanks muchly. Arches, please test and mark stable: =net-misc/dropbear-2012.55 Target keywords : "alpha amd64 arm hppa ia64 m68k ppc ppc64 s390 sh sparc x86" Is sys-libs/zlib-1.2.5.1-r2 good to go stable? sys-libs/zlib-1.2.6 might be too new. @base-system: Can you respond to jer's question? i rewrote the dep to not require newer zlib http://sources.gentoo.org/net-misc/dropbear/dropbear-2012.55.ebuild?r1=1.1&r2=1.2 Stable for HPPA. ppc done amd64 stable x86 stable Stable on alpha. ppc64 done arm/ia64/m68k/s390/sh/sparc stable Thanks, everyone GLSA request filed. CVE-2012-0920 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0920): Use-after-free vulnerability in Dropbear SSH Server 0.52 through 2012.54, when command restriction and public key authentication are enabled, allows remote authenticated users to execute arbitrary code and bypass command restrictions via multiple crafted command requests, related to "channels concurrency." This issue was resolved and addressed in GLSA 201309-20 at http://security.gentoo.org/glsa/glsa-201309-20.xml by GLSA coordinator Chris Reffett (creffett). |