Date: Thu, 10 Oct 2013 15:27:07 +0200 From: Marcus Meissner <meissner@...e.de> To: OSS Security List <oss-security@...ts.openwall.com> Cc: matt@....asn.au Subject: CVE Request: dropbear sshd daemon 2013.59 release Hi folks, hi Matt, https://matt.ucc.asn.au/dropbear/CHANGES seems to have two CVE worth entries. Version 2013.59 - Friday 4 October 2013 has this changes entry: - Limit the size of decompressed payloads, avoids memory exhaustion denial of service Thanks to Logan Lamb for reporting and investigating it Source code fix for this is seems to be: https://secure.ucc.asn.au/hg/dropbear/rev/0bf76f54de6f It also has this changes entry which might need one: - Avoid disclosing existence of valid users through inconsistent delays Thanks to Logan Lamb for reporting https://secure.ucc.asn.au/hg/dropbear/rev/a625f9e135a4 Matt, if you are interested in requesting CVEs in the future for security relevant fixes, feel free to contact us. (Kurt, I looked for your howto, but my googlefu today is weak.) Ciao, Marcus
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ