: Log in!


ウェブ 検索
トップ  >  Linux16歩  >  2016-07-23 dropbear-2016.74にupdate
20160723 dropbear-2016.74にupdateしました

Changelog (2015.73 ~ 2016.74)

2016.74 - 21 July 2016

- Security: Message printout was vulnerable to format string 

  If specific usernames including "%" symbols can be created on 
  a system (validated by getpwnam()) then an attacker could run 
  arbitrary code as root when connecting to Dropbear server.

  A dbclient user who can control username or host arguments could 
  potentially run arbitrary code as the dbclient user. This could 
  be a problem if scripts or webpages pass untrusted input to 
  the dbclient program.

- Security: dropbearconvert import of OpenSSH keys could run 
  arbitrary code as the local dropbearconvert user when parsing 
  malicious key files

- Security: dbclient could run arbitrary code as the local dbclient 
  user if particular -m or -c arguments are provided. This could be 
  an issue where dbclient is used in scripts.

- Security: dbclient or dropbear server could expose process memory 
  to the running user if compiled with DEBUG_TRACE and running with -v

  The security issues were reported by an anonymous researcher working 
  with Beyond Security's SecuriTeam Secure Disclosure 

- Fix port forwarding failure when connecting to domains that have
  both IPv4 and IPv6 addresses. The bug was introduced in 2015.68

- Fix 100% CPU use while waiting for rekey to complete. 
  Thanks to Zhang Hui P for the patch
投票数:7 平均点:4.29
2016-07-22 php-5.6.24にupdate
2016-08-02 mysql-5.5.51にupdate