Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Thu, 10 Oct 2013 15:27:07 +0200
From: Marcus Meissner <meissner@...e.de>
To: OSS Security List <oss-security@...ts.openwall.com>
Cc: matt@....asn.au
Subject: CVE Request: dropbear sshd daemon 2013.59 release

Hi folks, hi Matt,

https://matt.ucc.asn.au/dropbear/CHANGES seems to have two CVE worth entries.

Version 2013.59 - Friday 4 October 2013

has this changes entry:
- Limit the size of decompressed payloads, avoids memory exhaustion denial
  of service 
  Thanks to Logan Lamb for reporting and investigating it

  Source code fix for this is seems to be:
  https://secure.ucc.asn.au/hg/dropbear/rev/0bf76f54de6f


It also has this changes entry which might need one:
- Avoid disclosing existence of valid users through inconsistent delays
  Thanks to Logan Lamb for reporting

  https://secure.ucc.asn.au/hg/dropbear/rev/a625f9e135a4

Matt, if you are interested in requesting CVEs in the future
for security relevant fixes, feel free to contact us.
(Kurt, I looked for your howto, but my googlefu today is weak.)

Ciao, Marcus

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ