When adding systemd units to dropbear, I noticed a security problem had been announced.
- Security: Fix use-after-free bug that could be triggered if command="..." authorized_keys restrictions are used. Could allow arbitrary code execution or bypass of the command="..." restriction to an authenticated user. This bug affects releases 0.52 onwards. Ref CVE-2012-0920. Thanks to Danny Fullerton of Mantor Organization for reporting the bug. Please push. Note, that dropbear suffers from the same problem as openssh-server when pam support is disabled - i.e. all sessions will be killed on service restart. I tried enabling PAM support but this didn't seem to work properly so I've left it disabled for now. I've mentioned the issue on Fedora, so hopefully they'll fix it! https://bugzilla.redhat.com/show_bug.cgi?id=770251 -- Colin Guthrie colin(at)mageia.org http://colin.guthr.ie/ Day Job: Tribalogic Limited http://www.tribalogic.net/ Open Source: Mageia Contributor http://www.mageia.org/ PulseAudio Hacker http://www.pulseaudio.org/ Trac Hacker http://trac.edgewall.org/
