<feed xmlns='http://www.w3.org/2005/Atom'>
<title>buildroot/package/dropbear/dropbear.hash, branch 2017.08</title>
<subtitle>OpenPOWER buildroot sources</subtitle>
<id>https://git.raptorcs.com/git/buildroot/atom?h=2017.08</id>
<link rel='self' href='https://git.raptorcs.com/git/buildroot/atom?h=2017.08'/>
<link rel='alternate' type='text/html' href='https://git.raptorcs.com/git/buildroot/'/>
<updated>2017-05-21T21:32:16+00:00</updated>
<entry>
<title>dropbear: security bump to version 2017.75</title>
<updated>2017-05-21T21:32:16+00:00</updated>
<author>
<name>Peter Korsgaard</name>
<email>peter@korsgaard.com</email>
</author>
<published>2017-05-20T15:15:48+00:00</published>
<link rel='alternate' type='text/html' href='https://git.raptorcs.com/git/buildroot/commit/?id=8644a83bd806d1e6efdfd972908798e8e00f7006'/>
<id>urn:sha1:8644a83bd806d1e6efdfd972908798e8e00f7006</id>
<content type='text'>
Fixes:

- CVE-2017-9078: A double-free in the server could be triggered by an
  authenticated user if dropbear is running with -a (Allow connections to
  forwarded ports from any host) This could potentially allow arbitrary code
  execution as root by an authenticated user.  Affects versions 2013.56 to
  2016.74.  Thanks to Mark Shepard for reporting the crash.

- CVE-2017-9079: Dropbear parsed authorized_keys as root, even if it were a
  symlink.  The fix is to switch to user permissions when opening
  authorized_keys.
  A user could symlink their ~/.ssh/authorized_keys to a root-owned file
  they couldn't normally read.  If they managed to get that file to contain
  valid authorized_keys with command= options it might be possible to read
  other contents of that file.  This information disclosure is to an already
  authenticated user.  Thanks to Jann Horn of Google Project Zero for
  reporting this.

Signed-off-by: Peter Korsgaard &lt;peter@korsgaard.com&gt;
</content>
</entry>
<entry>
<title>dropbear: bump version to 2016.74</title>
<updated>2016-07-23T12:41:04+00:00</updated>
<author>
<name>Alexander Dahl</name>
<email>post@lespocky.de</email>
</author>
<published>2016-07-21T16:35:12+00:00</published>
<link rel='alternate' type='text/html' href='https://git.raptorcs.com/git/buildroot/commit/?id=52b06ebbcffd0905cf8cf26673453bd619194d3d'/>
<id>urn:sha1:52b06ebbcffd0905cf8cf26673453bd619194d3d</id>
<content type='text'>
According to https://matt.ucc.asn.au/dropbear/CHANGES there were some
severe security issues fixed.

Signed-off-by: Alexander Dahl &lt;post@lespocky.de&gt;
Acked-by: Gustavo Zacarias &lt;gustavo@zacarias.com.ar&gt;
Signed-off-by: Thomas Petazzoni &lt;thomas.petazzoni@free-electrons.com&gt;
</content>
</entry>
<entry>
<title>dropbear: bump to version 2016.73</title>
<updated>2016-03-20T13:52:44+00:00</updated>
<author>
<name>Alexander Dahl</name>
<email>post@lespocky.de</email>
</author>
<published>2016-03-20T12:04:37+00:00</published>
<link rel='alternate' type='text/html' href='https://git.raptorcs.com/git/buildroot/commit/?id=83d95eebaebea4d8df1dba1c27b22895522d6524'/>
<id>urn:sha1:83d95eebaebea4d8df1dba1c27b22895522d6524</id>
<content type='text'>
some new runtime options, minor fixes, and fixes for issues found by
various code analyze and lintian tools.

Signed-off-by: Alexander Dahl &lt;post@lespocky.de&gt;
Signed-off-by: Thomas Petazzoni &lt;thomas.petazzoni@free-electrons.com&gt;
</content>
</entry>
<entry>
<title>dropbear: security bump to 2016.72</title>
<updated>2016-03-10T13:35:55+00:00</updated>
<author>
<name>Peter Korsgaard</name>
<email>peter@korsgaard.com</email>
</author>
<published>2016-03-10T13:35:55+00:00</published>
<link rel='alternate' type='text/html' href='https://git.raptorcs.com/git/buildroot/commit/?id=aea2d241137b20187556ee27915a830835b209a7'/>
<id>urn:sha1:aea2d241137b20187556ee27915a830835b209a7</id>
<content type='text'>
2016.72 - 9 March 2016

- Validate X11 forwarding input. Could allow bypass of authorized_keys command= restrictions,
  found by github.com/tintinweb. Thanks to Damien Miller for a patch.

Signed-off-by: Peter Korsgaard &lt;peter@korsgaard.com&gt;
</content>
</entry>
<entry>
<title>dropbear: bump to version 2015.71</title>
<updated>2015-12-03T20:45:27+00:00</updated>
<author>
<name>Gustavo Zacarias</name>
<email>gustavo@zacarias.com.ar</email>
</author>
<published>2015-12-03T17:41:03+00:00</published>
<link rel='alternate' type='text/html' href='https://git.raptorcs.com/git/buildroot/commit/?id=c2505381d0103d94e4202bad949fa37184b01920'/>
<id>urn:sha1:c2505381d0103d94e4202bad949fa37184b01920</id>
<content type='text'>
Signed-off-by: Gustavo Zacarias &lt;gustavo@zacarias.com.ar&gt;
Signed-off-by: Peter Korsgaard &lt;peter@korsgaard.com&gt;
</content>
</entry>
<entry>
<title>dropbear: bump version to 2015.70</title>
<updated>2015-11-26T15:29:55+00:00</updated>
<author>
<name>Peter Korsgaard</name>
<email>peter@korsgaard.com</email>
</author>
<published>2015-11-26T15:29:55+00:00</published>
<link rel='alternate' type='text/html' href='https://git.raptorcs.com/git/buildroot/commit/?id=1069d0fc8cbdca7cb04d1d4ff0c58b46e23299b1'/>
<id>urn:sha1:1069d0fc8cbdca7cb04d1d4ff0c58b46e23299b1</id>
<content type='text'>
Bugfix release, fixes password auth support detection.

Signed-off-by: Peter Korsgaard &lt;peter@korsgaard.com&gt;
</content>
</entry>
<entry>
<title>dropbear: bump to version 2015.69</title>
<updated>2015-11-25T22:24:09+00:00</updated>
<author>
<name>Gustavo Zacarias</name>
<email>gustavo@zacarias.com.ar</email>
</author>
<published>2015-11-25T22:05:15+00:00</published>
<link rel='alternate' type='text/html' href='https://git.raptorcs.com/git/buildroot/commit/?id=37ec6ceaa8cedd40524686d46f39638a9876af6c'/>
<id>urn:sha1:37ec6ceaa8cedd40524686d46f39638a9876af6c</id>
<content type='text'>
Fixes a port-forwarding regression in 2015.68

Signed-off-by: Gustavo Zacarias &lt;gustavo@zacarias.com.ar&gt;
Signed-off-by: Peter Korsgaard &lt;peter@korsgaard.com&gt;
</content>
</entry>
<entry>
<title>dropbear: bump to 2015.68</title>
<updated>2015-10-15T20:22:12+00:00</updated>
<author>
<name>Luca Ceresoli</name>
<email>luca@lucaceresoli.net</email>
</author>
<published>2015-10-15T12:49:38+00:00</published>
<link rel='alternate' type='text/html' href='https://git.raptorcs.com/git/buildroot/commit/?id=5e3da92d7e95c88c088384ed1422f6f257106d90'/>
<id>urn:sha1:5e3da92d7e95c88c088384ed1422f6f257106d90</id>
<content type='text'>
Signed-off-by: Luca Ceresoli &lt;luca@lucaceresoli.net&gt;
Reviewed-by: Vicente Olivert Riera &lt;Vincent.Riera@imgtec.com&gt;
Tested-by: Vicente Olivert Riera &lt;Vincent.Riera@imgtec.com&gt;
Signed-off-by: Peter Korsgaard &lt;peter@korsgaard.com&gt;
</content>
</entry>
<entry>
<title>dropbear: bump to version 2015.67</title>
<updated>2015-01-28T20:48:02+00:00</updated>
<author>
<name>Gustavo Zacarias</name>
<email>gustavo@zacarias.com.ar</email>
</author>
<published>2015-01-28T16:43:50+00:00</published>
<link rel='alternate' type='text/html' href='https://git.raptorcs.com/git/buildroot/commit/?id=1e48670167f9eb72e2af1d415ce9fe521338a1e1'/>
<id>urn:sha1:1e48670167f9eb72e2af1d415ce9fe521338a1e1</id>
<content type='text'>
Switch sed options around since defaults have changed.

Signed-off-by: Gustavo Zacarias &lt;gustavo@zacarias.com.ar&gt;
Signed-off-by: Peter Korsgaard &lt;peter@korsgaard.com&gt;
</content>
</entry>
<entry>
<title>dropbear: bump to version 2014.66</title>
<updated>2014-10-23T20:09:26+00:00</updated>
<author>
<name>Gustavo Zacarias</name>
<email>gustavo@zacarias.com.ar</email>
</author>
<published>2014-10-23T17:09:05+00:00</published>
<link rel='alternate' type='text/html' href='https://git.raptorcs.com/git/buildroot/commit/?id=b1c2c47bd76c05771cba9c03b6eadb614343c0b4'/>
<id>urn:sha1:b1c2c47bd76c05771cba9c03b6eadb614343c0b4</id>
<content type='text'>
And add hash file.

Signed-off-by: Gustavo Zacarias &lt;gustavo@zacarias.com.ar&gt;
Signed-off-by: Thomas Petazzoni &lt;thomas.petazzoni@free-electrons.com&gt;
</content>
</entry>
</feed>
