openSUSE Security Update: update for dropbear ______________________________________________________________________________ Announcement ID: openSUSE-SU-2013:1696-1 Rating: moderate References: #845306 Cross-References: CVE-2013-4421 CVE-2013-4434 Affected Products: openSUSE 13.1 ______________________________________________________________________________ An update that fixes two vulnerabilities is now available. Description: dropbear was updated to version 2013.60 to fix following bugs: * Fix "make install" so that it doesn't always install to /bin and /sbin * Fix "make install MULTI=1", installing manpages failed * Fix "make install" when scp is included since it has no manpage * Make --disable-bundled-libtom work - used as bug fix release for bnc#845306 - VUL-0: CVE-2013-4421 and CVE-2013-4434 - provided links for download sources - employed gpg-offline - verify sources - imported upstream version 2013.59 * Fix crash from -J command Thanks to Lluís Batlle i Rossell and Arnaud Mouiche for patches * Avoid reading too much from /proc/net/rt_cache since that causes system slowness. * Improve EOF handling for half-closed connections Thanks to Catalin Patulea * Send a banner message to report PAM error messages intended for the user Patch from Martin Donnelly * Limit the size of decompressed payloads, avoids memory exhaustion denial of service Thanks to Logan Lamb for reporting and investigating it * Avoid disclosing existence of valid users through inconsistent delays Thanks to Logan Lamb for reporting * Update config.guess and config.sub for newer architectures * Avoid segfault in server for locked accounts * "make install" now installs manpages dropbearkey.8 has been renamed to dropbearkey.1 manpage added for dropbearconvert * Get rid of one second delay when running non-interactive commands Patch Instructions: To install this openSUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - openSUSE 13.1: zypper in -t patch openSUSE-2013-839 To bring your system up-to-date, use "zypper patch". Package List: - openSUSE 13.1 (i586 x86_64): dropbear-2013.60-2.4.1 dropbear-debuginfo-2013.60-2.4.1 dropbear-debugsource-2013.60-2.4.1 References: http://support.novell.com/security/cve/CVE-2013-4421.html http://support.novell.com/security/cve/CVE-2013-4434.html https://bugzilla.novell.com/845306