diff -u dropbear-2012.55/debian/changelog dropbear-2012.55/debian/changelog
--- dropbear-2012.55/debian/changelog
+++ dropbear-2012.55/debian/changelog
@@ -1,3 +1,12 @@
+dropbear (2012.55-1.4) unstable; urgency=high
+
+  * Non-maintainer upload by the Security Team.
+  * Fix cve-2013-4421: memory exhaustion issue (closes: #726019).
+  * Fix timing delays that may reveal whether a user account is valid
+    (closes: #726118).
+
+ -- Michael Gilbert <mgilbert@debian.org>  Wed, 16 Oct 2013 03:29:42 +0000
+
 dropbear (2012.55-1.3) unstable; urgency=medium
 
   * Non-maintainer upload.
only in patch2:
unchanged:
--- dropbear-2012.55.orig/debian/diff/0004-cve-2013-4421.diff
+++ dropbear-2012.55/debian/diff/0004-cve-2013-4421.diff
@@ -0,0 +1,35 @@
+
+# HG changeset patch
+# User Matt Johnston <matt@ucc.asn.au>
+# Date 1368026594 -28800
+# Node ID 0bf76f54de6fc6dda70985a51ee7b25922e6fea4
+# Parent  7bd88d546627ff31d0e2d91e6022b3e77a943efb
+Limit decompressed size
+
+diff -r 7bd88d546627 -r 0bf76f54de6f packet.c
+--- a/packet.c	Mon Apr 29 23:42:37 2013 +0800
++++ b/packet.c	Wed May 08 23:23:14 2013 +0800
+@@ -42,7 +42,7 @@
+ static int checkmac();
+ 
+ #define ZLIB_COMPRESS_INCR 100
+-#define ZLIB_DECOMPRESS_INCR 100
++#define ZLIB_DECOMPRESS_INCR 1024
+ #ifndef DISABLE_ZLIB
+ static buffer* buf_decompress(buffer* buf, unsigned int len);
+ static void buf_compress(buffer * dest, buffer * src, unsigned int len);
+@@ -420,7 +420,12 @@
+ 		}
+ 
+ 		if (zstream->avail_out == 0) {
+-			buf_resize(ret, ret->size + ZLIB_DECOMPRESS_INCR);
++			int new_size = 0;
++			if (ret->size >= RECV_MAX_PAYLOAD_LEN) {
++				dropbear_exit("bad packet, oversized decompressed");
++			}
++			new_size = MIN(RECV_MAX_PAYLOAD_LEN, ret->size + ZLIB_DECOMPRESS_INCR);
++			buf_resize(ret, new_size);
+ 		}
+ 	}
+ }
+
only in patch2:
unchanged:
--- dropbear-2012.55.orig/debian/diff/0005-user-disclosure.diff
+++ dropbear-2012.55/debian/diff/0005-user-disclosure.diff
@@ -0,0 +1,136 @@
+# HG changeset patch
+# User Matt Johnston <matt@ucc.asn.au>
+# Date 1369564764 -28800
+# Node ID d7784616409a427f3bc6eb9e0d3f8b942404fe5b
+# Parent  e0084f136cb88f8530928d85378b1d344d41f789
+improve auth failure delays to avoid indicating which users exist
+
+--- a/svr-auth.c	2013-10-15 23:57:41.935735500 -0400
++++ b/svr-auth.c	2013-10-16 00:05:10.343719116 -0400
+@@ -110,6 +110,7 @@
+ 
+ 	unsigned char *username = NULL, *servicename = NULL, *methodname = NULL;
+ 	unsigned int userlen, servicelen, methodlen;
++	int valid_user = 0;
+ 
+ 	TRACE(("enter recv_msg_userauth_request"))
+ 
+@@ -141,6 +142,14 @@
+ 		dropbear_exit("unknown service in auth");
+ 	}
+ 
++	/* check username is good before continuing. 
++	* the 'incrfail' varies depending on the auth method to
++	* avoid giving away which users exist on the system through
++	* the time delay. */
++	if (checkusername(username, userlen) == DROPBEAR_SUCCESS) {
++		valid_user = 1;
++	}
++
+ 	/* user wants to know what methods are supported */
+ 	if (methodlen == AUTH_METHOD_NONE_LEN &&
+ 			strncmp(methodname, AUTH_METHOD_NONE,
+@@ -149,14 +158,6 @@
+ 		send_msg_userauth_failure(0, 0);
+ 		goto out;
+ 	}
+-	
+-	/* check username is good before continuing */
+-	if (checkusername(username, userlen) == DROPBEAR_FAILURE) {
+-		/* username is invalid/no shell/etc - send failure */
+-		TRACE(("sending checkusername failure"))
+-		send_msg_userauth_failure(0, 1);
+-		goto out;
+-	}
+ 
+ #ifdef ENABLE_SVR_PASSWORD_AUTH
+ 	if (!svr_opts.noauthpass &&
+@@ -165,8 +166,10 @@
+ 		if (methodlen == AUTH_METHOD_PASSWORD_LEN &&
+ 				strncmp(methodname, AUTH_METHOD_PASSWORD,
+ 					AUTH_METHOD_PASSWORD_LEN) == 0) {
+-			svr_auth_password();
+-			goto out;
++			if (valid_user) {
++				svr_auth_password();
++				goto out;
++			}
+ 		}
+ 	}
+ #endif
+@@ -178,8 +181,10 @@
+ 		if (methodlen == AUTH_METHOD_PASSWORD_LEN &&
+ 				strncmp(methodname, AUTH_METHOD_PASSWORD,
+ 					AUTH_METHOD_PASSWORD_LEN) == 0) {
+-			svr_auth_pam();
+-			goto out;
++			if (valid_user) {
++				svr_auth_pam();
++				goto out;
++			}
+ 		}
+ 	}
+ #endif
+@@ -189,12 +194,17 @@
+ 	if (methodlen == AUTH_METHOD_PUBKEY_LEN &&
+ 			strncmp(methodname, AUTH_METHOD_PUBKEY,
+ 				AUTH_METHOD_PUBKEY_LEN) == 0) {
+-		svr_auth_pubkey();
++		if (valid_user) {
++			svr_auth_pubkey();
++		} else {
++			/* pubkey has no failure delay */
++			send_msg_userauth_failure(0, 0);
++		}
+ 		goto out;
+ 	}
+ #endif
+ 
+-	/* nothing matched, we just fail */
++	/* nothing matched, we just fail with a delay */
+ 	send_msg_userauth_failure(0, 1);
+ 
+ out:
+@@ -237,7 +247,6 @@
+ 		dropbear_log(LOG_WARNING,
+ 				"Login attempt for nonexistent user from %s",
+ 				svr_ses.addrstring);
+-		send_msg_userauth_failure(0, 1);
+ 		return DROPBEAR_FAILURE;
+ 	}
+ 
+@@ -245,7 +254,6 @@
+ 	if (svr_opts.norootlogin && ses.authstate.pw_uid == 0) {
+ 		TRACE(("leave checkusername: root login disabled"))
+ 		dropbear_log(LOG_WARNING, "root login rejected");
+-		send_msg_userauth_failure(0, 1);
+ 		return DROPBEAR_FAILURE;
+ 	}
+ 
+@@ -274,7 +282,6 @@
+ 	TRACE(("no matching shell"))
+ 	dropbear_log(LOG_WARNING, "User '%s' has invalid shell, rejected",
+ 				ses.authstate.pw_name);
+-	send_msg_userauth_failure(0, 1);
+ 	return DROPBEAR_FAILURE;
+ 	
+ goodshell:
+@@ -284,7 +291,6 @@
+ 	TRACE(("uid = %d", ses.authstate.pw_uid))
+ 	TRACE(("leave checkusername"))
+ 	return DROPBEAR_SUCCESS;
+-
+ }
+ 
+ /* Send a failure message to the client, in responds to a userauth_request.
+@@ -331,8 +337,8 @@
+ 	if (incrfail) {
+ 		unsigned int delay;
+ 		genrandom((unsigned char*)&delay, sizeof(delay));
+-		/* We delay for 300ms +- 50ms, 0.1ms granularity */
+-		delay = 250000 + (delay % 1000)*100;
++		/* We delay for 300ms +- 50ms */
++		delay = 250000 + (delay % 100000);
+ 		usleep(delay);
+ 		ses.authstate.failcount++;
+ 	}
