oss-sec mailing list archives
Re: CVE Request: dropbear sshd daemon 2013.59 release
From: Matt Johnston <matt () ucc asn au>
Date: Thu, 10 Oct 2013 21:38:19 +0800
Hi all, On Thu, Oct 10, 2013 at 03:27:07PM +0200, Marcus Meissner wrote:
has this changes entry: - Limit the size of decompressed payloads, avoids memory exhaustion denial of service https://secure.ucc.asn.au/hg/dropbear/rev/0bf76f54de6f
That's the right patch.
It also has this changes entry which might need one: - Avoid disclosing existence of valid users through inconsistent delays https://secure.ucc.asn.au/hg/dropbear/rev/a625f9e135a4
That should be https://secure.ucc.asn.au/hg/dropbear/rev/d7784616409a for the user disclosure. I don't think the constant-time memcmp (a625f9e135a4) is worth noting with a CVE. The packet HMAC is non-repeatable for an attacker. The password crypt comparison has too long a delay between tries, I think the majority of programs would use straight strcmp(). Cheers, Matt
Current thread:
- CVE Request: dropbear sshd daemon 2013.59 release Marcus Meissner (Oct 10)
- Re: CVE Request: dropbear sshd daemon 2013.59 release Matt Johnston (Oct 10)
- Re: CVE Request: dropbear sshd daemon 2013.59 release Seth Arnold (Oct 10)
- Re: CVE Request: dropbear sshd daemon 2013.59 release Kurt Seifried (Oct 10)
- Re: CVE Request: dropbear sshd daemon 2013.59 release Kurt Seifried (Oct 10)
- Re: CVE Request: dropbear sshd daemon 2013.59 release Matt Johnston (Oct 11)
- Re: CVE Request: dropbear sshd daemon 2013.59 release Kurt Seifried (Oct 15)
- Re: CVE Request: dropbear sshd daemon 2013.59 release Matt Johnston (Oct 11)