Hi all, Dropbear 2013.59 has been released. It fixes a number of bugs, including two security issues affecting prior releases.
- The Dropbear server could be made to consume large amounts of memory because decompressed packet sizes weren't checked. Depending on the OS and hardware this might be a denial of service. - Valid users could be identified due to timing variations. As usual you can download it from https://matt.ucc.asn.au/dropbear/dropbear.html Cheers, Matt 2013.59 - Friday 4 October 2013 - Fix crash from -J command Thanks to Lluís Batlle i Rossell and Arnaud Mouiche for patches - Avoid reading too much from /proc/net/rt_cache since that causes system slowness. - Improve EOF handling for half-closed connections Thanks to Catalin Patulea - Send a banner message to report PAM error messages intended for the user Patch from Martin Donnelly - Limit the size of decompressed payloads, avoids memory exhaustion denial of service Thanks to Logan Lamb for reporting and investigating it - Avoid disclosing existence of valid users through inconsistent delays Thanks to Logan Lamb for reporting - Update config.guess and config.sub for newer architectures - Avoid segfault in server for locked accounts - "make install" now installs manpages dropbearkey.8 has been renamed to dropbearkey.1 manpage added for dropbearconvert - Get rid of one second delay when running non-interactive commands Releases are signed by PGP key m...@ucc.asn.au 4C647FBC D11E 5F8D 2C38 523F 57F1 2166 8CF9 F8B0 4C64 7FBC
