Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 10 Oct 2013 23:41:27 -0600
From: Kurt Seifried <kseifried@...hat.com>
To: oss-security@...ts.openwall.com
CC: matt@....asn.au
Subject: Re: CVE Request: dropbear sshd daemon 2013.59 release

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 10/10/2013 07:27 AM, Marcus Meissner wrote:
> Hi folks, hi Matt,
> 
> https://matt.ucc.asn.au/dropbear/CHANGES seems to have two CVE
> worth entries.
> 
> Version 2013.59 - Friday 4 October 2013
> 
> has this changes entry: - Limit the size of decompressed payloads,
> avoids memory exhaustion denial of service Thanks to Logan Lamb for
> reporting and investigating it
> 
> Source code fix for this is seems to be: 
> https://secure.ucc.asn.au/hg/dropbear/rev/0bf76f54de6f

Please use CVE-2013-4421 for this issue.

> 
> It also has this changes entry which might need one: - Avoid
> disclosing existence of valid users through inconsistent delays 
> Thanks to Logan Lamb for reporting
> 
> https://secure.ucc.asn.au/hg/dropbear/rev/a625f9e135a4
> 
> Matt, if you are interested in requesting CVEs in the future for
> security relevant fixes, feel free to contact us. (Kurt, I looked
> for your howto, but my googlefu today is weak.)
> 
> Ciao, Marcus

This one seems to not be as exploitable or did I misread the follow up
emails?



- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (GNU/Linux)

iQIcBAEBAgAGBQJSV4+HAAoJEBYNRVNeJnmTnI0P/R4OSe2xrgdBj3883huklL9W
8JB4p9sgVKt+Nhkd37E0nFYlmGu5oqpjsU2TxpLBH8PKtxJX1yhMGyrQnUw7AZff
AZa74hkNimz1XPUjry5ubJ9Usf3CsX5W/Q+26Y+Q9QHXKJDMDbB+jeWUAyeZPtPM
dlMyyF+00QuItgAYB4CcO1mgBQxckz5rLzRRO1Vq++MwhEaDIWigE2md+MTcgsha
CoAfAl5iKskbXj2y5a3DKgwJnF+gC0y04qj5cVEEAgBLy41Ur6hs1eqqoR+yHf27
kwV579UD5MeQyNIUsBBG64LuRmmuHFikNlQOYmSmrMtmEWCwloylducJRDmIACIC
crky1ItgBb7Cse9ycSUr0M5WhgL+4fzvCEE0AWqKEK/J1l4NxDCPrCSkO4aiSJID
gCiumOtofjlXJ/MPuztn/8HbkP1o4KWBhc7duksMFHngmCd2+jYbOzXWYYwMydnH
+KfuB9FBhXeJNAyG2vqVEoGp/KBZ6z2gQoDyrUx89YulbDA6SbEhvFXKVkFl5P9p
07jFENRwItrZY/v98rGfvGczmcXve4ZjWbZvZDFwWbK8sIgYsbwK8b1xFLVX7zLU
1UiYvTHe92I6MFd1M35/JcL3joy7tguq9xndjvBNjHNWs2r3H1BDj4FKdXf3IPCZ
asogS9Zu8Jb6znMKb2yk
=Ue1h
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ