oss-security - CVE Request: dropbear sshd daemon 2013.59 release

Follow @Openwall on Twitter for new release announcements and other news

[<prev] [next>] [thread-next>] [day] [month] [year] [list]

Date: Thu, 10 Oct 2013 15:27:07 +0200
From: Marcus Meissner <meissner@...e.de>
To: OSS Security List <oss-security@...ts.openwall.com>
Cc: matt@....asn.au
Subject: CVE Request: dropbear sshd daemon 2013.59 release

Hi folks, hi Matt,

https://matt.ucc.asn.au/dropbear/CHANGES seems to have two CVE worth entries.

Version 2013.59 - Friday 4 October 2013

has this changes entry:
- Limit the size of decompressed payloads, avoids memory exhaustion denial
  of service 
  Thanks to Logan Lamb for reporting and investigating it

  Source code fix for this is seems to be:
  https://secure.ucc.asn.au/hg/dropbear/rev/0bf76f54de6f


It also has this changes entry which might need one:
- Avoid disclosing existence of valid users through inconsistent delays
  Thanks to Logan Lamb for reporting

  https://secure.ucc.asn.au/hg/dropbear/rev/a625f9e135a4

Matt, if you are interested in requesting CVEs in the future
for security relevant fixes, feel free to contact us.
(Kurt, I looked for your howto, but my googlefu today is weak.)

Ciao, Marcus

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.