oss-sec mailing list archives
Re: CVE Request: dropbear sshd daemon 2013.59 release
From: Kurt Seifried <kseifried () redhat com>
Date: Thu, 10 Oct 2013 23:41:27 -0600
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 10/10/2013 07:27 AM, Marcus Meissner wrote:
Hi folks, hi Matt, https://matt.ucc.asn.au/dropbear/CHANGES seems to have two CVE worth entries. Version 2013.59 - Friday 4 October 2013 has this changes entry: - Limit the size of decompressed payloads, avoids memory exhaustion denial of service Thanks to Logan Lamb for reporting and investigating it Source code fix for this is seems to be: https://secure.ucc.asn.au/hg/dropbear/rev/0bf76f54de6f
Please use CVE-2013-4421 for this issue.
It also has this changes entry which might need one: - Avoid disclosing existence of valid users through inconsistent delays Thanks to Logan Lamb for reporting https://secure.ucc.asn.au/hg/dropbear/rev/a625f9e135a4 Matt, if you are interested in requesting CVEs in the future for security relevant fixes, feel free to contact us. (Kurt, I looked for your howto, but my googlefu today is weak.) Ciao, Marcus
This one seems to not be as exploitable or did I misread the follow up emails? - -- Kurt Seifried Red Hat Security Response Team (SRT) PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (GNU/Linux) iQIcBAEBAgAGBQJSV4+HAAoJEBYNRVNeJnmTnI0P/R4OSe2xrgdBj3883huklL9W 8JB4p9sgVKt+Nhkd37E0nFYlmGu5oqpjsU2TxpLBH8PKtxJX1yhMGyrQnUw7AZff AZa74hkNimz1XPUjry5ubJ9Usf3CsX5W/Q+26Y+Q9QHXKJDMDbB+jeWUAyeZPtPM dlMyyF+00QuItgAYB4CcO1mgBQxckz5rLzRRO1Vq++MwhEaDIWigE2md+MTcgsha CoAfAl5iKskbXj2y5a3DKgwJnF+gC0y04qj5cVEEAgBLy41Ur6hs1eqqoR+yHf27 kwV579UD5MeQyNIUsBBG64LuRmmuHFikNlQOYmSmrMtmEWCwloylducJRDmIACIC crky1ItgBb7Cse9ycSUr0M5WhgL+4fzvCEE0AWqKEK/J1l4NxDCPrCSkO4aiSJID gCiumOtofjlXJ/MPuztn/8HbkP1o4KWBhc7duksMFHngmCd2+jYbOzXWYYwMydnH +KfuB9FBhXeJNAyG2vqVEoGp/KBZ6z2gQoDyrUx89YulbDA6SbEhvFXKVkFl5P9p 07jFENRwItrZY/v98rGfvGczmcXve4ZjWbZvZDFwWbK8sIgYsbwK8b1xFLVX7zLU 1UiYvTHe92I6MFd1M35/JcL3joy7tguq9xndjvBNjHNWs2r3H1BDj4FKdXf3IPCZ asogS9Zu8Jb6znMKb2yk =Ue1h -----END PGP SIGNATURE-----
Current thread:
- CVE Request: dropbear sshd daemon 2013.59 release Marcus Meissner (Oct 10)
- Re: CVE Request: dropbear sshd daemon 2013.59 release Matt Johnston (Oct 10)
- Re: CVE Request: dropbear sshd daemon 2013.59 release Seth Arnold (Oct 10)
- Re: CVE Request: dropbear sshd daemon 2013.59 release Kurt Seifried (Oct 10)
- Re: CVE Request: dropbear sshd daemon 2013.59 release Kurt Seifried (Oct 10)
- Re: CVE Request: dropbear sshd daemon 2013.59 release Matt Johnston (Oct 11)
- Re: CVE Request: dropbear sshd daemon 2013.59 release Kurt Seifried (Oct 15)
- Re: CVE Request: dropbear sshd daemon 2013.59 release Matt Johnston (Oct 11)