openSUSE has issued an advisory on July 27: https://lists.opensuse.org/opensuse-updates/2016-07/msg00089.html The issues were fixed upstream in 2016.74. Mageia 5 is also affected.
Whiteboard: (none) => MGA5TOO
dropbear-2016.74-1.mga6 uploaded for Cauldron. Mageia 5 still needs to be addressed.
Version: Cauldron => 5Whiteboard: MGA5TOO => (none)
I've pushed dropbear-2014.66-1.2.mga5 to updates_testing. A simple sanity check for the dropbear server is in https://bugs.mageia.org/show_bug.cgi?id=17948#c2 A sanity check for dropbearconvert is the following (no error message of any sort should appear): test -e /etc/ssh/ssh_host_rsa_key || echo Error: no key file sudo dropbearconvert openssh dropbear /etc/ssh/ssh_host_rsa_key /tmp/test19074 || echo Error sudo dropbearconvert dropbear openssh /tmp/test19074 /tmp/test19074b || echo Error sudo shred -u /tmp/test19074* A sanity check for dbclient is the following (assuming localhost has a working ssh daemon): dbclient -c aes256-ctr,aes128-ctr -m hmac-sha1,hmac-md5 localhost echo working The string "working" should be printed. Advisory: ======================== Updated dropbear package fixes a number of security vulnerabilities: - Message printout was vulnerable to format string injection. If specific usernames including "%" symbols can be created on a system (validated by getpwnam()) then an attacker could run arbitrary code as root when connecting to Dropbear server. A dbclient user who can control username or host arguments could potentially run arbitrary code as the dbclient user. This could be a problem if scripts or webpages pass untrusted input to the dbclient program. - dropbearconvert import of OpenSSH keys could run arbitrary code as the local dropbearconvert user when parsing malicious key files - dbclient could run arbitrary code as the local dbclient user if particular -m or -c arguments are provided. This could be an issue where dbclient is used in scripts. Mageia is not vulnerable to a fourth security issue because it does not enable the DEBUG_TRACE feature. References: https://lwn.net/Vulnerabilities/695690/ https://secure.ucc.asn.au/hg/dropbear/rev/10f28c95ca31 ======================== Updated packages in core/updates_testing: ======================== dropbear-2014.66-1.2.mga5 from dropbear-2014.66-1.2.mga5.src.rpm
Whiteboard: (none) => has_procedureAssignee: dan => qa-bugs
I opened core/updates_testing repository and the only version of dropbear I could find was the following. Version: 2014.66-1.1.mga5 Currently installed version: 2014.66-1.1.mga5 Group: Networking/Remote access Architecture: x86_64
CC: (none) => alexandersirris
It seems to have hit the mirrors. Installed the 2014.66-1.1.mga5 version. As root: Enabled Core Updates Testing (do you have the handy aliases such as ecupdt and dcupdt?) Ran MageiaUpdate Version 2014.66-1.2 appeared in the list. At this point you should press "Select all" which actually deselects all the offered packages. Then click the checkbox next to dropbear (this is known as "cherry-picking") and hit Update. dcupdt when installation finishes. Forgive me if you already know all this. Over to you.
CC: (none) => tarazed25
Sorry I have switched off of this security issue to see if I can tackle Bug 1753. I'll circle back around to this when I can.
Sorry I have switched off of this security issue to see if I can tackle Bug 17536. I'll circle back around to this when I can.
Keywords: (none) => validated_updateWhiteboard: has_procedure => has_procedure advisory MGA5-32-OKCC: (none) => davidwhodgins, sysadmin-bugs
CVE request: http://www.openwall.com/lists/oss-security/2016/09/14/7
CVE assignments: http://www.openwall.com/lists/oss-security/2016/09/15/2 Advisory in SVN updated.
Summary: dropbear new security issues fixed in 2016.74 => dropbear new security issues fixed in 2016.74 (CVE-2016-740[6-8])
An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2016-0301.html
Status: NEW => RESOLVEDResolution: (none) => FIXED