Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

dropbear: CVE-2013-4434: Avoid disclosing existence of valid users through inconsistent delays

Related Vulnerabilities: CVE-2013-4434   cve-2013-4421  

Source

Debian Bug report logs - #726118
dropbear: CVE-2013-4434: Avoid disclosing existence of valid users through inconsistent delays

version graph

Package: dropbear; Maintainer for dropbear is Guilhem Moulin <guilhem@debian.org>; Source for dropbear is src:dropbear (PTS, buildd, popcon).

Reported by: Henri Salo <henri@nerv.fi>

Date: Sat, 12 Oct 2013 14:03:01 UTC

Severity: important

Tags: fixed-upstream, patch, security

Found in version dropbear/2012.55-1.3

Fixed in version dropbear/2012.55-1.4

Done: Michael Gilbert <mgilbert@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, Gerrit Pape <pape@smarden.org>:
Bug#726118; Package dropbear. (Sat, 12 Oct 2013 14:03:06 GMT) (full text, mbox, link).

Acknowledgement sent to Henri Salo <henri@nerv.fi>:
New Bug report received and forwarded. Copy sent to Gerrit Pape <pape@smarden.org>. (Sat, 12 Oct 2013 14:03:06 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Henri Salo <henri@nerv.fi>
To: submit@bugs.debian.org
Subject: dropbear: Avoid disclosing existence of valid users through inconsistent delays
Date: Sat, 12 Oct 2013 17:01:45 +0300
[Message part 1 (text/plain, inline)]
Package: dropbear
Version: 2012.55-1.3
Severity: important
Tags: fixed-upstream, security

Fixed in: https://secure.ucc.asn.au/hg/dropbear/rev/d7784616409a
CVE request: http://www.openwall.com/lists/oss-security/2013/10/10/15

---
Henri Salo

[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Gerrit Pape <pape@smarden.org>:
Bug#726118; Package dropbear. (Wed, 16 Oct 2013 04:09:09 GMT) (full text, mbox, link).

Acknowledgement sent to Michael Gilbert <mgilbert@debian.org>:
Extra info received and forwarded to list. Copy sent to Gerrit Pape <pape@smarden.org>. (Wed, 16 Oct 2013 04:09:09 GMT) (full text, mbox, link).

Message #10 received at 726118@bugs.debian.org (full text, mbox, reply):

From: Michael Gilbert <mgilbert@debian.org>
To: 726019@bugs.debian.org, 726118@bugs.debian.org
Subject: Security nmu
Date: Wed, 16 Oct 2013 00:04:11 -0400
[Message part 1 (text/plain, inline)]
control: tag -1 patch
control: tag -1 pending

Hi,

I've uploaded an nmu to delayed/5 fixing these issues.  Please see
attached patch.

Best wishes,
Mike

[dropbear.patch (application/octet-stream, attachment)]

Added tag(s) patch. Request was from Michael Gilbert <mgilbert@debian.org> to 726118-submit@bugs.debian.org. (Wed, 16 Oct 2013 04:09:09 GMT) (full text, mbox, link).

Added tag(s) pending. Request was from Michael Gilbert <mgilbert@debian.org> to 726118-submit@bugs.debian.org. (Wed, 16 Oct 2013 04:09:10 GMT) (full text, mbox, link).

Information forwarded to debian-bugs-dist@lists.debian.org, Gerrit Pape <pape@smarden.org>:
Bug#726118; Package dropbear. (Wed, 16 Oct 2013 12:54:16 GMT) (full text, mbox, link).

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Gerrit Pape <pape@smarden.org>. (Wed, 16 Oct 2013 12:54:16 GMT) (full text, mbox, link).

Message #19 received at 726118@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>
To: 726118@bugs.debian.org
Subject: Re: Bug#726118: dropbear: Avoid disclosing existence of valid users through inconsistent delays
Date: Wed, 16 Oct 2013 14:53:25 +0200
Control: retitle -1 dropbear: CVE-2013-4434: Avoid disclosing existence of valid users through inconsistent delays

Hi

> CVE request: http://www.openwall.com/lists/oss-security/2013/10/10/15

A CVE was now assigned to this. Please inclde CVE-2013-4434 in the
changelog when you fix the issue.

Regards,
Salvatore

Changed Bug title to 'dropbear: CVE-2013-4434: Avoid disclosing existence of valid users through inconsistent delays' from 'dropbear: Avoid disclosing existence of valid users through inconsistent delays' Request was from Salvatore Bonaccorso <carnil@debian.org> to 726118-submit@bugs.debian.org. (Wed, 16 Oct 2013 12:54:16 GMT) (full text, mbox, link).

Reply sent to Michael Gilbert <mgilbert@debian.org>:
You have taken responsibility. (Mon, 21 Oct 2013 04:36:09 GMT) (full text, mbox, link).

Notification sent to Henri Salo <henri@nerv.fi>:
Bug acknowledged by developer. (Mon, 21 Oct 2013 04:36:09 GMT) (full text, mbox, link).

Message #26 received at 726118-close@bugs.debian.org (full text, mbox, reply):

From: Michael Gilbert <mgilbert@debian.org>
To: 726118-close@bugs.debian.org
Subject: Bug#726118: fixed in dropbear 2012.55-1.4
Date: Mon, 21 Oct 2013 04:33:46 +0000
Source: dropbear
Source-Version: 2012.55-1.4

We believe that the bug you reported is fixed in the latest version of
dropbear, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 726118@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Michael Gilbert <mgilbert@debian.org> (supplier of updated dropbear package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Wed, 16 Oct 2013 03:29:42 +0000
Source: dropbear
Binary: dropbear
Architecture: source amd64
Version: 2012.55-1.4
Distribution: unstable
Urgency: high
Maintainer: Gerrit Pape <pape@smarden.org>
Changed-By: Michael Gilbert <mgilbert@debian.org>
Description: 
 dropbear   - lightweight SSH2 server and client
Closes: 726019 726118
Changes: 
 dropbear (2012.55-1.4) unstable; urgency=high
 .
   * Non-maintainer upload by the Security Team.
   * Fix cve-2013-4421: memory exhaustion issue (closes: #726019).
   * Fix timing delays that may reveal whether a user account is valid
     (closes: #726118).
Checksums-Sha1: 
 ecb1e37bb6b382be6f78cf4f7a48c6f3f2688059 2342 dropbear_2012.55-1.4.dsc
 8082b2b7041913f32779260aefe7be665ea6b131 8468 dropbear_2012.55-1.4.diff.gz
 850f42c88b6e6e46a69af03f38d46339c03823ef 141768 dropbear_2012.55-1.4_amd64.deb
Checksums-Sha256: 
 d0158ff63752b1de68413a8cfa59ab9b81db9f336f6e7d4be6c2f8f79ae9c730 2342 dropbear_2012.55-1.4.dsc
 8e331db20f7faa91a245db4d6b7d7e7c1f6d57d2be873784399b455c8949bbfb 8468 dropbear_2012.55-1.4.diff.gz
 2e1d1edeaaf30f2741a7c8c1ec8498e4dbd68fe400d206229a8422a0a730a8c8 141768 dropbear_2012.55-1.4_amd64.deb
Files: 
 5c03fdc4faa9023f31cc8022371edbaf 2342 net optional dropbear_2012.55-1.4.dsc
 819107e53b113fa0d032ae3f0c8c90eb 8468 net optional dropbear_2012.55-1.4.diff.gz
 5676bf6aa6f58c399e88bcc915064f10 141768 net optional dropbear_2012.55-1.4_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.15 (GNU/Linux)

iQQcBAEBCgAGBQJSXhHQAAoJELjWss0C1vRzedEf/2r2HkErckofLSeKWZzm5UZX
pDBqXK/tHeG0l9oMB0rpNilhorZ7sHbaQPsbdlNHxJ9g//qJxBgpCtD6JyVfIsKZ
R2fDDl8CBl8j2cD0f+T/ECIeSZB1dTeBM7dJ/ogC1hdiyx277gs61QEQ8iPwnDjE
OV3Y6B16pGUrCRmIIlsqIMO2bLoXpodns4RpYYIqHv510PVWz6c8lh4uwhUZh9RR
LdHXbJITElI/ZI1psTKVH8tsMpYX5KW0xjsH0roVoxpMVYrn+030ALKt26KikuwJ
cUrWqcO8WF2uylBixpmunPnQtLLBX+o2VhQCiGX/bItM5Q+XIwnkOHsE+MpBYBNZ
i7Cig4/93HfK61wQpzLRbdGqelo4TsnrpVr6PJVs3bJPPHLdL3VWgKygXZdeXSJs
0TU11/foTn8zBFJeN4s70HI1Tg+Fod6A1g9lD9Q6+mG7FgPLawH6jx35O+CobdYg
WK97oLL7Z5TjF4JEwG2xGIvyQKsloKQuq1NlMVg5gJUjYbgVq5njDdV0fseFjgG0
IfYhpuMnq2N3JaLC2+k55qCzL4LnAiwfzAScc97ETKta+TGoBugsVHdPNV+UmM9I
yAgpW8kHQf+8If+HQ4OhRUPbRkRGO955jQDLoReH4IHCx/qmM6FGT02+yGFEHqYd
aGbnFNGr2pZWllDmd+ikq2wHns8JSsAQeYMYLvaQAd4ysqMJi9AK66biD/PHhyjt
u2qtapgNlxcgIga+0soWZqa1qJxQwhwDrRC0kmBmz2A0aD0DTSSIxe8xL/HjUy1o
b89n4f40gLgjXVgg+0opiGxVEUhLLBe9PrYlOXXDL5cXpwV0L7Go6LUofXxW9Cp0
OnlvWUHGpPDcyPlMb3Hn9mxoapDf/nJVkiWJxdsyLk+tp1ULqtYv59CWP+3gxzjy
cAUcgIZsppWN+SdAsMFLTqMaco6VuIqPWnSiqqkxp2zNN35vvKtYyFxgNsOrcq2r
Bn74Ud9MY/8bfb316BanX+BtN23BTpMAlVFX7bhdgW7mVgA8fViP1juFdV0G6xCN
iiWzxPpLoMqUB59fzewC6m3+2xxljkTFcuuNylSEZIi3hfPSwVzRobjeWcb96hzd
r7e+UXWydgH2H/q/FNi3n045pskW9XfsUk58pH2QsTrm0JVn+Y1EfKn1RFbk8Bb/
qw2RWKJlCPxtTANj924j2RPCwozsD3A5jTgtKS++FFNFdNPH8/qF+szm9AlrXsrf
Vaf4wWrq/gJI+BSWd5Ti0Ln5+a4D9I/LJQwG411JaEuhLLt02R6ywLWdPkJ0rztm
sHrp7K+uptDehxzbbLXFog+BPvGN3XmD+o+6CqYorHyEamb47u97krROwgq6e5M=
=6uqk
-----END PGP SIGNATURE-----

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Thu, 21 Nov 2013 07:26:04 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Jun 19 16:40:28 2019; Machine Name: beach

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started