-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Sat, 20 May 2017 20:49:16 +0200 Source: dropbear Binary: dropbear Architecture: source amd64 Version: 2012.55-1.3+deb7u2 Distribution: wheezy-security Urgency: high Maintainer: Gerrit Pape <p...@smarden.org> Changed-By: Guilhem Moulin <guil...@debian.org> Description: dropbear - lightweight SSH2 server and client Changes: dropbear (2012.55-1.3+deb7u2) wheezy-security; urgency=high . * Backport fix for CVE-2017-9079 from 2017.75: information disclosure with ~/.ssh/authorized_keys symlink. Dropbear parsed authorized_keys as root, even if it were a symlink. The fix is to switch to user permissions when opening authorized_keys A user could symlink their ~/.ssh/authorized_keys to a root-owned file they couldn't normally read. If they managed to get that file to contain valid authorized_keys with command= options it might be possible to read other contents of that file. This information disclosure is to an already authenticated user. Checksums-Sha1: 6564c271fcf0f927c89975203f5bbc4fb5289464 1832 dropbear_2012.55-1.3+deb7u2.dsc 2c65dd1f423884a38079f5e4386c698015222279 1774927 dropbear_2012.55.orig.tar.gz 16b185cf8aaac243c9a3cd2b470e379c9d4f6f7b 26969 dropbear_2012.55-1.3+deb7u2.debian.tar.gz bafc61cd06e1fe9807e31941a59bf28a0a7ac468 283008 dropbear_2012.55-1.3+deb7u2_amd64.deb Checksums-Sha256: 6a7e95e08e4ebf0e6b376c2180dae5669a744fd14e242f9f7b3076e7bd2274df 1832 dropbear_2012.55-1.3+deb7u2.dsc 808df243c61bb60f2f18fa64bca628cbba0918b2a14139f10e6d59d4ac5a17ce 1774927 dropbear_2012.55.orig.tar.gz 88340ec78d89003aef894b6ec54f1a6d265aeeb76f3b7a016f037c0fecf094b3 26969 dropbear_2012.55-1.3+deb7u2.debian.tar.gz 791994380e198ec956dd3fa76116fed302774f1bfdb09921a9a0fb99cc001263 283008 dropbear_2012.55-1.3+deb7u2_amd64.deb Files: 0151f9466277e000731c984a70e60444 1832 net optional dropbear_2012.55-1.3+deb7u2.dsc 44836e5a0419ba12557f9ea46880077e 1774927 net optional dropbear_2012.55.orig.tar.gz a55614cdad8a8a35e2f22d086562235c 26969 net optional dropbear_2012.55-1.3+deb7u2.debian.tar.gz 8b0596e81bbaed1c11df292b6bf13901 283008 net optional dropbear_2012.55-1.3+deb7u2_amd64.deb
-----BEGIN PGP SIGNATURE----- iQKTBAEBCgB9FiEEYgH7/9u94Hgi6ruWlvysDTh7WEcFAlkhzq5fFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDYy MDFGQkZGREJCREUwNzgyMkVBQkI5Njk2RkNBQzBEMzg3QjU4NDcACgkQlvysDTh7 WEeYxg/+PBN5FWibUqkFcrNpIDCHsKK6Njyr/M6t843LneKeU3XkpdhC3SVsENvW cFr2Gp4ikz8+XB2n5UCrii9CDXi2/pVrXYayJzv0QCdOT0tFzUlWXGPppsGscU2/ lZfgiAW9Nk1KYQ90WHi0+s4D9h0jvyKBYTxXJvhEKsTxQqs3VOUbjH0VUSmszWyH lACCqa8lvAuvTb1oogwloUOylzvtZ/nqwrm7buAS0TLx6dGt22oC5dhQfXQws131 B8yK4dA8x7jW35+sbDpvrZ3JIOnJNfcrWIZQd+GTPci8QR+G5dO1xBdoeve4jvqo nmWg1YJ9TJNW9VWcSNSRJ96tImJ19OY0ZLnwLOYz4Vats7It2f40ftU/HCbThvgQ VzuFKc/+eiyj1JDGbU9jN8NkkpbV/bbdssXWH4i+gnZ80z6iM1WomwC03MUuEQJ2 eI1fkJlCVXiJsrFJ8f4LXdI9AX3ncgwDCnzI05JaaO5ivDc7c+lzvTqUOAEcym8N kSGo8XjNmDDniz2h8QMfqZIGyZ1GAHQ9x9bAlpU4BkrYrvuEol+LKx73ct/VJJKL MS4yShAyocx+YcKWCd/uCtdbGxqDfDB7cFCUt7RTk/8YVa2f84AFelTbUphudwBt 8Q/q+6QMVbhZG68ghXhsOlFzPHW0cT7U0wP5aOVwvzl/yVU+O7I= =zxw+ -----END PGP SIGNATURE-----