Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 1 Aug 2016 18:07:39 +0000 (UTC)
From:      Pawel Pekala <pawel@FreeBSD.org>
To:        ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-branches@freebsd.org
Subject:   svn commit: r419448 - branches/2016Q3/security/dropbear
Message-ID:  <201608011807.u71I7dOG020881@repo.freebsd.org>

next in thread | raw e-mail | index | archive | help
Author: pawel
Date: Mon Aug  1 18:07:38 2016
New Revision: 419448
URL: https://svnweb.freebsd.org/changeset/ports/419448

Log:
  MFH: r419445
  
  - Update to version 2016.74
  - Add license information
  
  Changelog:
  - Security: Message printout was vulnerable to format string injection.
  
    If specific usernames including "%" symbols can be created on a system
    (validated by getpwnam()) then an attacker could run arbitrary code as root
    when connecting to Dropbear server.
  
    A dbclient user who can control username or host arguments could potentially
    run arbitrary code as the dbclient user. This could be a problem if scripts
    or webpages pass untrusted input to the dbclient program.
  
  - Security: dropbearconvert import of OpenSSH keys could run arbitrary code as
    the local dropbearconvert user when parsing malicious key files
  
  - Security: dbclient could run arbitrary code as the local dbclient user if
    particular -m or -c arguments are provided. This could be an issue where
    dbclient is used in scripts.
  
  - Security: dbclient or dropbear server could expose process memory to the
    running user if compiled with DEBUG_TRACE and running with -v
  
  PR:		211298
  Submitted by:	Piotr Kubaj (maintainer)
  
  Approved by:	ports-secteam (feld)

Modified:
  branches/2016Q3/security/dropbear/Makefile
  branches/2016Q3/security/dropbear/distinfo
Directory Properties:
  branches/2016Q3/   (props changed)

Modified: branches/2016Q3/security/dropbear/Makefile
==============================================================================
--- branches/2016Q3/security/dropbear/Makefile	Mon Aug  1 17:51:07 2016	(r419447)
+++ branches/2016Q3/security/dropbear/Makefile	Mon Aug  1 18:07:38 2016	(r419448)
@@ -2,13 +2,16 @@
 # $FreeBSD$
 
 PORTNAME=	dropbear
-PORTVERSION=	2016.73
+PORTVERSION=	2016.74
 CATEGORIES=	security ipv6
 MASTER_SITES=	http://matt.ucc.asn.au/dropbear/releases/
 
 MAINTAINER=	pkubaj@anongoth.pl
 COMMENT=	SSH 2 server, designed to be usable in small memory environments
 
+LICENSE=	MIT
+LICENSE_FILE=	${WRKSRC}/LICENSE
+
 GNU_CONFIGURE=	yes
 USES=		cpe gmake tar:bzip2
 CPE_VENDOR=	matt_johnston

Modified: branches/2016Q3/security/dropbear/distinfo
==============================================================================
--- branches/2016Q3/security/dropbear/distinfo	Mon Aug  1 17:51:07 2016	(r419447)
+++ branches/2016Q3/security/dropbear/distinfo	Mon Aug  1 18:07:38 2016	(r419448)
@@ -1,2 +1,3 @@
-SHA256 (dropbear-2016.73.tar.bz2) = 5c61a4f69b093b688629cd365be38701485ff63cfb23642dab7a05ad250aefd7
-SIZE (dropbear-2016.73.tar.bz2) = 1621584
+TIMESTAMP = 1469201269
+SHA256 (dropbear-2016.74.tar.bz2) = 2720ea54ed009af812701bcc290a2a601d5c107d12993e5d92c0f5f81f718891
+SIZE (dropbear-2016.74.tar.bz2) = 1622234



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201608011807.u71I7dOG020881>