Debian has issued an advisory on May 19: https://www.debian.org/security/2017/dsa-3859 Mageia 5 may also be affected.
Whiteboard: (none) => MGA5TOO
Freeze push for Cauldron to 2017.75
Fix for mga5 is in svn.
dropbear-2014.66-1.3.mga5 is now available in core/updates_testing. Test procedure for CVE-2017-9079 fix: sudo systemctl stop sshd.service sudo systemctl start dropbear.service ssh -o PasswordAuthentication=false localhost echo success # This should print the word "success" if the test is successful. # The previous command assumes a public key is available and configured for # use by the current user. If the error "Permission denied" is received, # try creating a key pair and enabling it for login with these commands: ssh-keygen ssh-copy-id -i ~/.ssh/id_rsa localhost I wasn't able to successfully trigger the double free of CVE-2017-9078, so no test procedure is included here. In any case, the default Mageia configuration does not set -a so it's not vulnerable. Proposed security advisory: Advisory: ======================== Updated dropbear package fixes security vulnerabilities: A double-free in the server could be triggered by an authenticated user if dropbear is running with -a (CVE-2017-9078). The default Mageia configuration does not set -a. Dropbear parsed authorized_keys as root, even if it were a symlink. The fix is to switch to user permissions when opening authorized_keys (CVE-2017-9079) References: https://matt.ucc.asn.au/dropbear/CHANGES https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9078 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9079
Assignee: dan => qa-bugsURL: (none) => https://matt.ucc.asn.au/dropbear/CHANGESWhiteboard: MGA5TOO => MGA5TOO has_procedure advisory
Version: Cauldron => 5Whiteboard: MGA5TOO has_procedure advisory => has_procedure advisory
MGA5-32 on Asus A6000VM Xfce No installation issues. Following instructions in Comment 3 (including generating a key pair), resulted in "success".
Whiteboard: has_procedure advisory => has_procedure advisory MGA5-32-OKCC: (none) => herman.viaene
Tested on x86_64 with pre-existing ssh setup. Created the file /etc/sysconfig/dropbear with ... OPTIONS='-p munged' where munged is replaced by the port number I use before starting the service. Got the warning that key had changed, when connecting to that install, as expected. Advisory committed to svn. Validating the update.
Keywords: (none) => validated_updateWhiteboard: has_procedure advisory MGA5-32-OK => has_procedure advisory MGA5-32-OK MGA5-64-OKCC: (none) => davidwhodgins, sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2017-0165.html
Status: NEW => RESOLVEDResolution: (none) => FIXED