Debian Security Advisory
DSA-3859-1 dropbear -- security update
- Date Reported:
- 19 May 2017
- Affected Packages:
- Security database references:
- In Mitre's CVE dictionary: CVE-2017-9078, CVE-2017-9079.
- More information:
Two vulnerabilities were found in Dropbear, a lightweight SSH2 server and client:
Mark Shepard discovered a double free in the TCP listener cleanup which could result in denial of service by an authenticated user if Dropbear is running with the "-a" option.
Jann Horn discovered a local information leak in parsing the .authorized_keys file.
For the stable distribution (jessie), these problems have been fixed in version 2014.65-1+deb8u2.
For the unstable distribution (sid), these problems will be fixed soon.
We recommend that you upgrade your dropbear packages.