[prev in list] [next in list] [prev in thread] [next in thread]
List: dropbear
Subject: Re: Dropbear 2019.77
From: roytam () gmail ! com
Date: 2021-06-29 11:18:51
Message-ID: CAA=zYJZ9dN9NUm9hnzh0jw+2HbTuBjtyxT+_GcWumuaqMju=yQ () mail ! gmail ! com
[Download RAW message or body]
Hi,
Sorry for replying such old message, but:
Matt Johnston <matt@ucc.asn.au> wrote:
>
> Hi all,
>
> At long last Dropbear 2019.77 is released. Most changes are
> bug fixes, with a few small features. There are security
> fixes to avoid revealing the existence of valid usernames.
>
> This release also merges the fuzzing branch. In a
> normal build this should have no effect on operation.
>
> There are a few larger changes that are ready to merge
> that will have to wait for the next release - I wanted to
> get this bugfix out of the way first.
>
> Download at
> https://matt.ucc.asn.au/dropbear/dropbear.html
> mirror
> https://dropbear.nl/mirror/dropbear.html
>
> Cheers,
> Matt
>
> 2019.77 - 23 March 2019
>
> - Fix server -R option with ECDSA - only advertise one key size which will be accepted.
> Reported by Peter Krefting, 2018.76 regression.
>
> - Fix server regression in 2018.76 where multiple client -R forwards were all forwarded
> to the first destination. Reported by Iddo Samet.
>
> - Make failure delay more consistent to avoid revealing valid usernames, set server password
> limit of 100 characters. Problem reported by usd responsible disclosure team
What is the technical reason of limiting server password length to
such a low value? It is even shorter than Windows PATH_MAX which I
think this doesn't make any sense.
> - Change handling of failed authentication to avoid disclosing valid usernames,
> CVE-2018-15599.
>
> - Fix dbclient to reliably return the exit code from the remote server.
> Reported by W. Mike Petullo
>
> - Fix export of 521-bit ECDSA keys, from Christian Hohnstädt
>
> - Add -o Port=xxx option to work with sshfs, from xcko
>
> - Merged fuzzing code, see FUZZER-NOTES.md
>
> - Add a DROPBEAR_SVR_MULTIUSER=0 compile option to run on
> single-user Linux kernels (CONFIG_MULTIUSER disabled). From Patrick Stewart
>
> - Increase allowed username to 100 characters, reported by W. Mike Petullo
>
> - Update config.sub and config.guess, should now work with RISC-V
>
> - Cygwin compile fix from karel-m
>
> - Don't require GNU sed (accidentally in 2018.76), reported by Samuel Hsu
>
> - Fix for IRIX and writev(), reported by Kazuo Kuroi
>
> - Other fixes and cleanups from François Perrad, Andre McCurdy, Konstantin Demin,
> Michael Jones, Pawel Rapkiewicz
Regards,
Roy
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic