Date: Thu, 10 Oct 2013 23:41:27 -0600 From: Kurt Seifried <kseifried@...hat.com> To: oss-security@...ts.openwall.com CC: matt@....asn.au Subject: Re: CVE Request: dropbear sshd daemon 2013.59 release -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 10/10/2013 07:27 AM, Marcus Meissner wrote: > Hi folks, hi Matt, > > https://matt.ucc.asn.au/dropbear/CHANGES seems to have two CVE > worth entries. > > Version 2013.59 - Friday 4 October 2013 > > has this changes entry: - Limit the size of decompressed payloads, > avoids memory exhaustion denial of service Thanks to Logan Lamb for > reporting and investigating it > > Source code fix for this is seems to be: > https://secure.ucc.asn.au/hg/dropbear/rev/0bf76f54de6f Please use CVE-2013-4421 for this issue. > > It also has this changes entry which might need one: - Avoid > disclosing existence of valid users through inconsistent delays > Thanks to Logan Lamb for reporting > > https://secure.ucc.asn.au/hg/dropbear/rev/a625f9e135a4 > > Matt, if you are interested in requesting CVEs in the future for > security relevant fixes, feel free to contact us. (Kurt, I looked > for your howto, but my googlefu today is weak.) > > Ciao, Marcus This one seems to not be as exploitable or did I misread the follow up emails? - -- Kurt Seifried Red Hat Security Response Team (SRT) PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (GNU/Linux) iQIcBAEBAgAGBQJSV4+HAAoJEBYNRVNeJnmTnI0P/R4OSe2xrgdBj3883huklL9W 8JB4p9sgVKt+Nhkd37E0nFYlmGu5oqpjsU2TxpLBH8PKtxJX1yhMGyrQnUw7AZff AZa74hkNimz1XPUjry5ubJ9Usf3CsX5W/Q+26Y+Q9QHXKJDMDbB+jeWUAyeZPtPM dlMyyF+00QuItgAYB4CcO1mgBQxckz5rLzRRO1Vq++MwhEaDIWigE2md+MTcgsha CoAfAl5iKskbXj2y5a3DKgwJnF+gC0y04qj5cVEEAgBLy41Ur6hs1eqqoR+yHf27 kwV579UD5MeQyNIUsBBG64LuRmmuHFikNlQOYmSmrMtmEWCwloylducJRDmIACIC crky1ItgBb7Cse9ycSUr0M5WhgL+4fzvCEE0AWqKEK/J1l4NxDCPrCSkO4aiSJID gCiumOtofjlXJ/MPuztn/8HbkP1o4KWBhc7duksMFHngmCd2+jYbOzXWYYwMydnH +KfuB9FBhXeJNAyG2vqVEoGp/KBZ6z2gQoDyrUx89YulbDA6SbEhvFXKVkFl5P9p 07jFENRwItrZY/v98rGfvGczmcXve4ZjWbZvZDFwWbK8sIgYsbwK8b1xFLVX7zLU 1UiYvTHe92I6MFd1M35/JcL3joy7tguq9xndjvBNjHNWs2r3H1BDj4FKdXf3IPCZ asogS9Zu8Jb6znMKb2yk =Ue1h -----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ