diff options
Diffstat (limited to 'zarb-ml/mageia-dev/2012-April/014636.html')
| -rw-r--r-- | zarb-ml/mageia-dev/2012-April/014636.html | 116 |
1 files changed, 116 insertions, 0 deletions
diff --git a/zarb-ml/mageia-dev/2012-April/014636.html b/zarb-ml/mageia-dev/2012-April/014636.html new file mode 100644 index 000000000..9511178f8 --- /dev/null +++ b/zarb-ml/mageia-dev/2012-April/014636.html @@ -0,0 +1,116 @@ +<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN"> +<HTML> + <HEAD> + <TITLE> [Mageia-dev] Freeze Push: dropbear + </TITLE> + <LINK REL="Index" HREF="index.html" > + <LINK REL="made" HREF="mailto:mageia-dev%40mageia.org?Subject=Re%3A%20%5BMageia-dev%5D%20Freeze%20Push%3A%20dropbear&In-Reply-To=%3C4F93E0B1.1020205%40colin.guthr.ie%3E"> + <META NAME="robots" CONTENT="index,nofollow"> + <META http-equiv="Content-Type" content="text/html; charset=us-ascii"> + <LINK REL="Previous" HREF="014654.html"> + <LINK REL="Next" HREF="014672.html"> + </HEAD> + <BODY BGCOLOR="#ffffff"> + <H1>[Mageia-dev] Freeze Push: dropbear</H1> + <B>Colin Guthrie</B> + <A HREF="mailto:mageia-dev%40mageia.org?Subject=Re%3A%20%5BMageia-dev%5D%20Freeze%20Push%3A%20dropbear&In-Reply-To=%3C4F93E0B1.1020205%40colin.guthr.ie%3E" + TITLE="[Mageia-dev] Freeze Push: dropbear">mageia at colin.guthr.ie + </A><BR> + <I>Sun Apr 22 12:42:57 CEST 2012</I> + <P><UL> + <LI>Previous message: <A HREF="014654.html">[Mageia-dev] microcode needed by default +</A></li> + <LI>Next message: <A HREF="014672.html">[Mageia-dev] Freeze Push: dropbear +</A></li> + <LI> <B>Messages sorted by:</B> + <a href="date.html#14636">[ date ]</a> + <a href="thread.html#14636">[ thread ]</a> + <a href="subject.html#14636">[ subject ]</a> + <a href="author.html#14636">[ author ]</a> + </LI> + </UL> + <HR> +<!--beginarticle--> +<PRE>When adding systemd units to dropbear, I noticed a security problem had +been announced. + +- Security: Fix use-after-free bug that could be triggered if command="..." + authorized_keys restrictions are used. Could allow arbitrary code +execution + or bypass of the command="..." restriction to an authenticated user. + This bug affects releases 0.52 onwards. Ref CVE-2012-0920. + Thanks to Danny Fullerton of Mantor Organization for reporting + the bug. + + +Please push. + +Note, that dropbear suffers from the same problem as openssh-server when +pam support is disabled - i.e. all sessions will be killed on service +restart. + +I tried enabling PAM support but this didn't seem to work properly so +I've left it disabled for now. + +I've mentioned the issue on Fedora, so hopefully they'll fix it! + +<A HREF="https://bugzilla.redhat.com/show_bug.cgi?id=770251">https://bugzilla.redhat.com/show_bug.cgi?id=770251</A> + + +-- + +Colin Guthrie +colin(at)mageia.org +<A HREF="http://colin.guthr.ie/">http://colin.guthr.ie/</A> + +Day Job: + Tribalogic Limited <A HREF="http://www.tribalogic.net/">http://www.tribalogic.net/</A> +Open Source: + Mageia Contributor <A HREF="http://www.mageia.org/">http://www.mageia.org/</A> + PulseAudio Hacker <A HREF="http://www.pulseaudio.org/">http://www.pulseaudio.org/</A> + Trac Hacker <A HREF="http://trac.edgewall.org/">http://trac.edgewall.org/</A> +</PRE> + + + + + + + + + + + + + + + + + + + + + + + + +<!--endarticle--> + <HR> + <P><UL> + <!--threads--> + <LI>Previous message: <A HREF="014654.html">[Mageia-dev] microcode needed by default +</A></li> + <LI>Next message: <A HREF="014672.html">[Mageia-dev] Freeze Push: dropbear +</A></li> + <LI> <B>Messages sorted by:</B> + <a href="date.html#14636">[ date ]</a> + <a href="thread.html#14636">[ thread ]</a> + <a href="subject.html#14636">[ subject ]</a> + <a href="author.html#14636">[ author ]</a> + </LI> + </UL> + +<hr> +<a href="https://www.mageia.org/mailman/listinfo/mageia-dev">More information about the Mageia-dev +mailing list</a><br> +</body></html> |