Hi Guilhem, On Fri, Aug 24, 2018 at 03:15:10AM +0200, Guilhem Moulin wrote: > dropbear 2014.65-1+deb8u2 from jessie-security is vulnerable to > CVE-2018-15599: > > The recv_msg_userauth_request function in svr-auth.c in Dropbear > through 2018.76 is prone to a user enumeration vulnerability because > username validity affects how fields in SSH_MSG_USERAUTH messages > are handled, a similar issue to CVE-2018-15473 in an unrelated > codebase. > > I backported upstream changeset 1616:5d2d1021ca00 [0] and attached a > debdiff against 2014.65-1+deb8u2.dsc. I did check that pubkey and > password authentication still work :-) (We're building without PAM > support, so patching svr-authpam.c isn't needed, but I guess it's better > to stick to the upstream patch.)
cool cool! > For convenience, you can also find the source package at > dget -x > https://people.debian.org/~guilhem/tmp/dropbear_2014.65-1+deb8u3.dsc nice. I'll sponsor your upload shortly and will then also send a DLA. Thanks for providing the fixed package! -- cheers, Holger ------------------------------------------------------------------------------- holger@(debian|reproducible-builds).org
signature.asc
Description: PGP signature
