Mailinglist Archive: opensuse-updates (64 mails)

< Previous Next >
openSUSE-SU-2013:1616-1: moderate: update for dropbear
openSUSE Security Update: update for dropbear
______________________________________________________________________________

Announcement ID: openSUSE-SU-2013:1616-1
Rating: moderate
References: #845306
Cross-References: CVE-2013-4421 CVE-2013-4434
Affected Products:
openSUSE 12.3
______________________________________________________________________________

An update that fixes two vulnerabilities is now available.

Description:

dropbear was updated to version 2013.60 to fix following
bugs:
* Fix "make install" so that it doesn't always install to
/bin and /sbin
* Fix "make install MULTI=1", installing manpages failed
* Fix "make install" when scp is included since it has no
manpage
* Make --disable-bundled-libtom work
- used as bug fix release for bnc#845306 - VUL-0:
CVE-2013-4421 and CVE-2013-4434

- provided links for download sources
- employed gpg-offline - verify sources

- imported upstream version 2013.59
* Fix crash from -J command Thanks to Lluís Batlle i
Rossell and Arnaud Mouiche for patches
* Avoid reading too much from /proc/net/rt_cache since
that causes system slowness.
* Improve EOF handling for half-closed connections Thanks
to Catalin Patulea
* Send a banner message to report PAM error messages
intended for the user Patch from Martin Donnelly
* Limit the size of decompressed payloads, avoids memory
exhaustion denial of service Thanks to Logan Lamb for
reporting and investigating it
* Avoid disclosing existence of valid users through
inconsistent delays Thanks to Logan Lamb for reporting
* Update config.guess and config.sub for newer
architectures
* Avoid segfault in server for locked accounts
* "make install" now installs manpages dropbearkey.8 has
been renamed to dropbearkey.1 manpage added for
dropbearconvert
* Get rid of one second delay when running
non-interactive commands


Patch Instructions:

To install this openSUSE Security Update use YaST online_update.
Alternatively you can run the command listed for your product:

- openSUSE 12.3:

zypper in -t patch openSUSE-2013-811

To bring your system up-to-date, use "zypper patch".


Package List:

- openSUSE 12.3 (i586 x86_64):

dropbear-2013.60-7.4.1
dropbear-debuginfo-2013.60-7.4.1
dropbear-debugsource-2013.60-7.4.1


References:

http://support.novell.com/security/cve/CVE-2013-4421.html
http://support.novell.com/security/cve/CVE-2013-4434.html
https://bugzilla.novell.com/845306


< Previous Next >
This Thread
  • No further messages