<feed xmlns='http://www.w3.org/2005/Atom'>
<title>buildroot/package/dropbear, branch 2017.11.2</title>
<subtitle>OpenPOWER buildroot sources</subtitle>
<id>https://git.raptorcs.com/git/buildroot/atom?h=2017.11.2</id>
<link rel='self' href='https://git.raptorcs.com/git/buildroot/atom?h=2017.11.2'/>
<link rel='alternate' type='text/html' href='https://git.raptorcs.com/git/buildroot/'/>
<updated>2017-05-21T21:32:16+00:00</updated>
<entry>
<title>dropbear: security bump to version 2017.75</title>
<updated>2017-05-21T21:32:16+00:00</updated>
<author>
<name>Peter Korsgaard</name>
<email>peter@korsgaard.com</email>
</author>
<published>2017-05-20T15:15:48+00:00</published>
<link rel='alternate' type='text/html' href='https://git.raptorcs.com/git/buildroot/commit/?id=8644a83bd806d1e6efdfd972908798e8e00f7006'/>
<id>urn:sha1:8644a83bd806d1e6efdfd972908798e8e00f7006</id>
<content type='text'>
Fixes:

- CVE-2017-9078: A double-free in the server could be triggered by an
  authenticated user if dropbear is running with -a (Allow connections to
  forwarded ports from any host) This could potentially allow arbitrary code
  execution as root by an authenticated user.  Affects versions 2013.56 to
  2016.74.  Thanks to Mark Shepard for reporting the crash.

- CVE-2017-9079: Dropbear parsed authorized_keys as root, even if it were a
  symlink.  The fix is to switch to user permissions when opening
  authorized_keys.
  A user could symlink their ~/.ssh/authorized_keys to a root-owned file
  they couldn't normally read.  If they managed to get that file to contain
  valid authorized_keys with command= options it might be possible to read
  other contents of that file.  This information disclosure is to an already
  authenticated user.  Thanks to Jann Horn of Google Project Zero for
  reporting this.

Signed-off-by: Peter Korsgaard &lt;peter@korsgaard.com&gt;
</content>
</entry>
<entry>
<title>boot, package: use SPDX short identifier for BSD-2c</title>
<updated>2017-04-01T13:27:05+00:00</updated>
<author>
<name>Rahul Bedarkar</name>
<email>rahulbedarkar89@gmail.com</email>
</author>
<published>2017-03-30T13:43:39+00:00</published>
<link rel='alternate' type='text/html' href='https://git.raptorcs.com/git/buildroot/commit/?id=96e9480fbc71a39d473be5d4f73b4d15b5029a8f'/>
<id>urn:sha1:96e9480fbc71a39d473be5d4f73b4d15b5029a8f</id>
<content type='text'>
We want to use SPDX identifier for license string as much as possible.
SPDX short identifier for BSD-2c is BSD-2-Clause.

This change is done using following command.
find . -name "*.mk" | xargs sed -ri '/LICENSE( )?[\+:]?=/s/BSD-2c/BSD-2-Clause/g'

Signed-off-by: Rahul Bedarkar &lt;rahulbedarkar89@gmail.com&gt;
Signed-off-by: Thomas Petazzoni &lt;thomas.petazzoni@free-electrons.com&gt;
</content>
</entry>
<entry>
<title>dropbear: bump version to 2016.74</title>
<updated>2016-07-23T12:41:04+00:00</updated>
<author>
<name>Alexander Dahl</name>
<email>post@lespocky.de</email>
</author>
<published>2016-07-21T16:35:12+00:00</published>
<link rel='alternate' type='text/html' href='https://git.raptorcs.com/git/buildroot/commit/?id=52b06ebbcffd0905cf8cf26673453bd619194d3d'/>
<id>urn:sha1:52b06ebbcffd0905cf8cf26673453bd619194d3d</id>
<content type='text'>
According to https://matt.ucc.asn.au/dropbear/CHANGES there were some
severe security issues fixed.

Signed-off-by: Alexander Dahl &lt;post@lespocky.de&gt;
Acked-by: Gustavo Zacarias &lt;gustavo@zacarias.com.ar&gt;
Signed-off-by: Thomas Petazzoni &lt;thomas.petazzoni@free-electrons.com&gt;
</content>
</entry>
<entry>
<title>dropbear: bump to version 2016.73</title>
<updated>2016-03-20T13:52:44+00:00</updated>
<author>
<name>Alexander Dahl</name>
<email>post@lespocky.de</email>
</author>
<published>2016-03-20T12:04:37+00:00</published>
<link rel='alternate' type='text/html' href='https://git.raptorcs.com/git/buildroot/commit/?id=83d95eebaebea4d8df1dba1c27b22895522d6524'/>
<id>urn:sha1:83d95eebaebea4d8df1dba1c27b22895522d6524</id>
<content type='text'>
some new runtime options, minor fixes, and fixes for issues found by
various code analyze and lintian tools.

Signed-off-by: Alexander Dahl &lt;post@lespocky.de&gt;
Signed-off-by: Thomas Petazzoni &lt;thomas.petazzoni@free-electrons.com&gt;
</content>
</entry>
<entry>
<title>dropbear: security bump to 2016.72</title>
<updated>2016-03-10T13:35:55+00:00</updated>
<author>
<name>Peter Korsgaard</name>
<email>peter@korsgaard.com</email>
</author>
<published>2016-03-10T13:35:55+00:00</published>
<link rel='alternate' type='text/html' href='https://git.raptorcs.com/git/buildroot/commit/?id=aea2d241137b20187556ee27915a830835b209a7'/>
<id>urn:sha1:aea2d241137b20187556ee27915a830835b209a7</id>
<content type='text'>
2016.72 - 9 March 2016

- Validate X11 forwarding input. Could allow bypass of authorized_keys command= restrictions,
  found by github.com/tintinweb. Thanks to Damien Miller for a patch.

Signed-off-by: Peter Korsgaard &lt;peter@korsgaard.com&gt;
</content>
</entry>
<entry>
<title>dropbear: add help text about key creation</title>
<updated>2016-01-12T22:35:08+00:00</updated>
<author>
<name>Arnout Vandecappelle</name>
<email>arnout@mind.be</email>
</author>
<published>2016-01-09T01:15:53+00:00</published>
<link rel='alternate' type='text/html' href='https://git.raptorcs.com/git/buildroot/commit/?id=e146d82b96b471886f00c64a2661df9d4ba0d8c5'/>
<id>urn:sha1:e146d82b96b471886f00c64a2661df9d4ba0d8c5</id>
<content type='text'>
Commit e7d04dd2d replaced /etc/dropbear with a symlink to /var/run and
updated the start scripts to replace it with a real directory, so the
keys would be persistent. However, it turns out that this is pretty
confusing even for expert users, who don't know how to make the keys
really persistent now.

Update the help text explaining what the issue is, and telling the user
to replace the /etc/dropbear symlink with a symlink to a persistent
directory. Also mention the possiblity of unionfs.

Cc: Thomas De Schampheleire &lt;patrickdepinguin@gmail.com&gt;
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) &lt;arnout@mind.be&gt;
Signed-off-by: Peter Korsgaard &lt;peter@korsgaard.com&gt;
</content>
</entry>
<entry>
<title>dropbear: bump to version 2015.71</title>
<updated>2015-12-03T20:45:27+00:00</updated>
<author>
<name>Gustavo Zacarias</name>
<email>gustavo@zacarias.com.ar</email>
</author>
<published>2015-12-03T17:41:03+00:00</published>
<link rel='alternate' type='text/html' href='https://git.raptorcs.com/git/buildroot/commit/?id=c2505381d0103d94e4202bad949fa37184b01920'/>
<id>urn:sha1:c2505381d0103d94e4202bad949fa37184b01920</id>
<content type='text'>
Signed-off-by: Gustavo Zacarias &lt;gustavo@zacarias.com.ar&gt;
Signed-off-by: Peter Korsgaard &lt;peter@korsgaard.com&gt;
</content>
</entry>
<entry>
<title>dropbear: bump version to 2015.70</title>
<updated>2015-11-26T15:29:55+00:00</updated>
<author>
<name>Peter Korsgaard</name>
<email>peter@korsgaard.com</email>
</author>
<published>2015-11-26T15:29:55+00:00</published>
<link rel='alternate' type='text/html' href='https://git.raptorcs.com/git/buildroot/commit/?id=1069d0fc8cbdca7cb04d1d4ff0c58b46e23299b1'/>
<id>urn:sha1:1069d0fc8cbdca7cb04d1d4ff0c58b46e23299b1</id>
<content type='text'>
Bugfix release, fixes password auth support detection.

Signed-off-by: Peter Korsgaard &lt;peter@korsgaard.com&gt;
</content>
</entry>
<entry>
<title>dropbear: bump to version 2015.69</title>
<updated>2015-11-25T22:24:09+00:00</updated>
<author>
<name>Gustavo Zacarias</name>
<email>gustavo@zacarias.com.ar</email>
</author>
<published>2015-11-25T22:05:15+00:00</published>
<link rel='alternate' type='text/html' href='https://git.raptorcs.com/git/buildroot/commit/?id=37ec6ceaa8cedd40524686d46f39638a9876af6c'/>
<id>urn:sha1:37ec6ceaa8cedd40524686d46f39638a9876af6c</id>
<content type='text'>
Fixes a port-forwarding regression in 2015.68

Signed-off-by: Gustavo Zacarias &lt;gustavo@zacarias.com.ar&gt;
Signed-off-by: Peter Korsgaard &lt;peter@korsgaard.com&gt;
</content>
</entry>
<entry>
<title>dropbear: dropbear.service: /etc/default/dropbear is optional</title>
<updated>2015-11-09T22:11:52+00:00</updated>
<author>
<name>Peter Korsgaard</name>
<email>peter@korsgaard.com</email>
</author>
<published>2015-11-09T22:11:52+00:00</published>
<link rel='alternate' type='text/html' href='https://git.raptorcs.com/git/buildroot/commit/?id=04e401e20a8ef8db895f01238bd8d41bb2830cf6'/>
<id>urn:sha1:04e401e20a8ef8db895f01238bd8d41bb2830cf6</id>
<content type='text'>
The environment file is for optional customization, so don't error out if it
isn't present.

Signed-off-by: Peter Korsgaard &lt;peter@korsgaard.com&gt;
</content>
</entry>
</feed>
