Date: Thu, 10 Oct 2013 15:27:07 +0200 From: Marcus Meissner <meissner@...e.de> To: OSS Security List <oss-security@...ts.openwall.com> Cc: matt@....asn.au Subject: CVE Request: dropbear sshd daemon 2013.59 release Hi folks, hi Matt, https://matt.ucc.asn.au/dropbear/CHANGES seems to have two CVE worth entries. Version 2013.59 - Friday 4 October 2013 has this changes entry: - Limit the size of decompressed payloads, avoids memory exhaustion denial of service Thanks to Logan Lamb for reporting and investigating it Source code fix for this is seems to be: https://secure.ucc.asn.au/hg/dropbear/rev/0bf76f54de6f It also has this changes entry which might need one: - Avoid disclosing existence of valid users through inconsistent delays Thanks to Logan Lamb for reporting https://secure.ucc.asn.au/hg/dropbear/rev/a625f9e135a4 Matt, if you are interested in requesting CVEs in the future for security relevant fixes, feel free to contact us. (Kurt, I looked for your howto, but my googlefu today is weak.) Ciao, Marcus
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.