CVSROOT: /cvs Module name: ports Changes by: st...@cvs.openbsd.org 2016/09/21 04:06:27
Modified files: security/dropbear: Makefile distinfo Log message: update to dropbear-2016.74, fixes include a format string vulnerability (CVE-2016-7406) and a problem importing malicious OpenSSH keys (CVE-2016-7407) both of which could result in arbitrary code running as root in some conditions (though the worst one requires usernames including '%' which is uncommon with OpenBSD as adduser and useradd reject this, however it is possible by editing the password file directly). See https://matt.ucc.asn.au/dropbear/CHANGES for more details.