Hi, Sorry for replying such old message, but:
Matt Johnston <m...@ucc.asn.au> wrote: > > Hi all, > > At long last Dropbear 2019.77 is released. Most changes are > bug fixes, with a few small features. There are security > fixes to avoid revealing the existence of valid usernames. > > This release also merges the fuzzing branch. In a > normal build this should have no effect on operation. > > There are a few larger changes that are ready to merge > that will have to wait for the next release - I wanted to > get this bugfix out of the way first. > > Download at > https://matt.ucc.asn.au/dropbear/dropbear.html > mirror > https://dropbear.nl/mirror/dropbear.html > > Cheers, > Matt > > 2019.77 - 23 March 2019 > > - Fix server -R option with ECDSA - only advertise one key size which will be > accepted. > Reported by Peter Krefting, 2018.76 regression. > > - Fix server regression in 2018.76 where multiple client -R forwards were all > forwarded > to the first destination. Reported by Iddo Samet. > > - Make failure delay more consistent to avoid revealing valid usernames, set > server password > limit of 100 characters. Problem reported by usd responsible disclosure team What is the technical reason of limiting server password length to such a low value? It is even shorter than Windows PATH_MAX which I think this doesn't make any sense. > - Change handling of failed authentication to avoid disclosing valid > usernames, > CVE-2018-15599. > > - Fix dbclient to reliably return the exit code from the remote server. > Reported by W. Mike Petullo > > - Fix export of 521-bit ECDSA keys, from Christian Hohnstädt > > - Add -o Port=xxx option to work with sshfs, from xcko > > - Merged fuzzing code, see FUZZER-NOTES.md > > - Add a DROPBEAR_SVR_MULTIUSER=0 compile option to run on > single-user Linux kernels (CONFIG_MULTIUSER disabled). From Patrick Stewart > > - Increase allowed username to 100 characters, reported by W. Mike Petullo > > - Update config.sub and config.guess, should now work with RISC-V > > - Cygwin compile fix from karel-m > > - Don't require GNU sed (accidentally in 2018.76), reported by Samuel Hsu > > - Fix for IRIX and writev(), reported by Kazuo Kuroi > > - Other fixes and cleanups from François Perrad, Andre McCurdy, Konstantin > Demin, > Michael Jones, Pawel Rapkiewicz Regards, Roy