Bug#906890: dropbear: CVE-2018-15599
Hi Guilhem, On Fri, Aug 24, 2018 at 03:26:12AM +0200, Guilhem Moulin wrote: > On Wed, 22 Aug 2018 at 11:19:37 +0200, Guilhem Moulin wrote: > > On Wed, 22 Aug 2018 at 06:21:27 +0200, Salvatore Bonaccorso wrote: > >> Would you agree and could you instead update dropbear for the next > >> point release? > > > > Makes sense indeed, I'll do that instead. > > Just for the record, upstream fixed that in changeset 1616:5d2d1021ca00 > https://secure.ucc.asn.au/hg/dropbear/rev/5d2d1021ca00 , and the request > to add it to stretch-pu is filed as #907124. Perfect, thank you! Regards, Salvatore
Bug#906890: dropbear: CVE-2018-15599
On Wed, 22 Aug 2018 at 11:19:37 +0200, Guilhem Moulin wrote: > On Wed, 22 Aug 2018 at 06:21:27 +0200, Salvatore Bonaccorso wrote: >> Would you agree and could you instead update dropbear for the next >> point release? > > Makes sense indeed, I'll do that instead. Just for the record, upstream fixed that in changeset 1616:5d2d1021ca00 https://secure.ucc.asn.au/hg/dropbear/rev/5d2d1021ca00 , and the request to add it to stretch-pu is filed as #907124. -- Guilhem. signature.asc Description: PGP signature
Bug#906890: dropbear: CVE-2018-15599
On Wed, 22 Aug 2018 at 06:21:27 +0200, Salvatore Bonaccorso wrote: > Would you agree and could you instead update dropbear for the next > point release? Makes sense indeed, I'll do that instead. Cheers, -- Guilhem. signature.asc Description: PGP signature
Bug#906890: dropbear: CVE-2018-15599
Hi Guilhem [adding team@s.d.o to the loop] On Tue, Aug 21, 2018 at 11:30:00PM +0200, Guilhem Moulin wrote: > Control: found -1 2014.65-1+deb8u2 > > Hi Salvatore, > > Wow, you're fast :-) I read the the discussion in the upstream list but > wasn't aware a CVE had been assigned yet. > > Upstream replied “I should have a patch in the next couple of days”, and > I'll propose an upload to stretch-security after that. (Hopefully the > patch will be easy to backport as ‘svr-auth.c’ hasn't changed much since > oldstable.) Thanks! We were discussing this related issue (similar to openssh) in the team yesterday, and we were thinking whilst we might issue a DSA for openssh, we tend to not issue a DSA for dropbear itself fo the similar issue. The use cases are likely different where they are used, so we think updating for the next point release via stretch-pu might suffice here for drobear. Would you agree and could you instead update dropbear for the next point release? Regards, Salvatore
Bug#906890: dropbear: CVE-2018-15599
Control: found -1 2014.65-1+deb8u2 Hi Salvatore, Wow, you're fast :-) I read the the discussion in the upstream list but wasn't aware a CVE had been assigned yet. Upstream replied “I should have a patch in the next couple of days”, and I'll propose an upload to stretch-security after that. (Hopefully the patch will be easy to backport as ‘svr-auth.c’ hasn't changed much since oldstable.) > Please adjust the affected versions in the BTS as needed. Added 2014.65-1+deb8u2 from jessie-security. Cheers, -- Guilhem. signature.asc Description: PGP signature
Bug#906890: dropbear: CVE-2018-15599
Source: dropbear Version: 2016.74-1 Severity: grave Tags: security Forwarded: http://lists.ucc.gu.uwa.edu.au/pipermail/dropbear/2018q3/002108.html Hi, The following vulnerability was published for dropbear. CVE-2018-15599[0]: | The recv_msg_userauth_request function in svr-auth.c in Dropbear | through 2018.76 is prone to a user enumeration vulnerability because | username validity affects how fields in SSH_MSG_USERAUTH messages are | handled, a similar issue to CVE-2018-15473 in an unrelated codebase. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2018-15599 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-15599 [1] http://lists.ucc.gu.uwa.edu.au/pipermail/dropbear/2018q3/002108.html Please adjust the affected versions in the BTS as needed. Regards, Salvatore