Control: tags -1 + confirmed On 2018-08-24 01:45, Guilhem Moulin wrote:
CVE-2018-15599 was recently published for dropbear:The recv_msg_userauth_request function in svr-auth.c in Dropbearthrough 2018.76 is prone to a user enumeration vulnerability becauseusername validity affects how fields in SSH_MSG_USERAUTH messages are handled, a similar issue to CVE-2018-15473 in an unrelated codebase. However the Security Team didn't issue a DSA [0], and suggested [1] to instead fix that via stretch-pu. I enclosed a debdiff against dropbear_2016.74-5.dsc.
+dropbear (2016.74-5+deb9u1) stable; urgency=medium Please make the distribution "stretch", and feel free to upload. Regards, Adam
