Date: Mon, 1 Aug 2016 18:07:39 +0000 (UTC) From: Pawel Pekala <pawel@FreeBSD.org> To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-branches@freebsd.org Subject: svn commit: r419448 - branches/2016Q3/security/dropbear Message-ID: <201608011807.u71I7dOG020881@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: pawel Date: Mon Aug 1 18:07:38 2016 New Revision: 419448 URL: https://svnweb.freebsd.org/changeset/ports/419448 Log: MFH: r419445 - Update to version 2016.74 - Add license information Changelog: - Security: Message printout was vulnerable to format string injection. If specific usernames including "%" symbols can be created on a system (validated by getpwnam()) then an attacker could run arbitrary code as root when connecting to Dropbear server. A dbclient user who can control username or host arguments could potentially run arbitrary code as the dbclient user. This could be a problem if scripts or webpages pass untrusted input to the dbclient program. - Security: dropbearconvert import of OpenSSH keys could run arbitrary code as the local dropbearconvert user when parsing malicious key files - Security: dbclient could run arbitrary code as the local dbclient user if particular -m or -c arguments are provided. This could be an issue where dbclient is used in scripts. - Security: dbclient or dropbear server could expose process memory to the running user if compiled with DEBUG_TRACE and running with -v PR: 211298 Submitted by: Piotr Kubaj (maintainer) Approved by: ports-secteam (feld) Modified: branches/2016Q3/security/dropbear/Makefile branches/2016Q3/security/dropbear/distinfo Directory Properties: branches/2016Q3/ (props changed) Modified: branches/2016Q3/security/dropbear/Makefile ============================================================================== --- branches/2016Q3/security/dropbear/Makefile Mon Aug 1 17:51:07 2016 (r419447) +++ branches/2016Q3/security/dropbear/Makefile Mon Aug 1 18:07:38 2016 (r419448) @@ -2,13 +2,16 @@ # $FreeBSD$ PORTNAME= dropbear -PORTVERSION= 2016.73 +PORTVERSION= 2016.74 CATEGORIES= security ipv6 MASTER_SITES= http://matt.ucc.asn.au/dropbear/releases/ MAINTAINER= pkubaj@anongoth.pl COMMENT= SSH 2 server, designed to be usable in small memory environments +LICENSE= MIT +LICENSE_FILE= ${WRKSRC}/LICENSE + GNU_CONFIGURE= yes USES= cpe gmake tar:bzip2 CPE_VENDOR= matt_johnston Modified: branches/2016Q3/security/dropbear/distinfo ============================================================================== --- branches/2016Q3/security/dropbear/distinfo Mon Aug 1 17:51:07 2016 (r419447) +++ branches/2016Q3/security/dropbear/distinfo Mon Aug 1 18:07:38 2016 (r419448) @@ -1,2 +1,3 @@ -SHA256 (dropbear-2016.73.tar.bz2) = 5c61a4f69b093b688629cd365be38701485ff63cfb23642dab7a05ad250aefd7 -SIZE (dropbear-2016.73.tar.bz2) = 1621584 +TIMESTAMP = 1469201269 +SHA256 (dropbear-2016.74.tar.bz2) = 2720ea54ed009af812701bcc290a2a601d5c107d12993e5d92c0f5f81f718891 +SIZE (dropbear-2016.74.tar.bz2) = 1622234
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201608011807.u71I7dOG020881>