845306 – (CVE-2013-4421) VUL-0: CVE-2013-4421: dropbear: denial of service and user disclosure fixed in 2013.59

Bug 845306 (CVE-2013-4421) - VUL-0: CVE-2013-4421: dropbear: denial of service and user disclosure fixed in 2013.59

Summary: VUL-0: CVE-2013-4421: dropbear: denial of service and user disclosure fixed i...

Status:	RESOLVED FIXED

Alias:	CVE-2013-4421

Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents (show other bugs)
Version:	unspecified
Hardware:	Other Other

Priority:	P3 - Medium Severity: Normal
Target Milestone:	---
Assignee:	Tim Hardeck
QA Contact:	Security Team bot

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Clone This Bug

Reported:	2013-10-10 13:28 UTC by Marcus Meissner
Modified:	2015-02-19 02:17 UTC (History)
CC List:	2 users (show)

See Also:
Found By:	---
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Marcus Meissner 2013-10-10 13:28:36 UTC

https://matt.ucc.asn.au/dropbear/CHANGES for 2013.59 has


- Limit the size of decompressed payloads, avoids memory exhaustion denial
  of service 
  Thanks to Logan Lamb for reporting and investigating it

- Avoid disclosing existence of valid users through inconsistent delays
  Thanks to Logan Lamb for reporting

which seem security relevant.

I have requested CVEs.

Comment 1 Marcus Meissner 2013-10-11 11:19:11 UTC

> https://secure.ucc.asn.au/hg/dropbear/rev/0bf76f54de6f

Please use CVE-2013-4421 for this issue.

Comment 2 Swamp Workflow Management 2013-10-11 22:00:08 UTC

bugbot adjusting priority

Comment 3 Tim Hardeck 2013-10-14 12:45:54 UTC

I am waiting for the 2013.60 release for submission because of some potential issues in the current release.

Comment 4 Victor Pereira 2013-10-16 11:53:59 UTC

a new CVE was assigned for the bug user enumeration via authentication failure delays: CVE-2013-4434

Comment 5 Tim Hardeck 2013-10-18 08:45:13 UTC

Created submit requests with 2013.60 for 12.3
https://build.opensuse.org/request/show/203702 and 13.1
https://build.opensuse.org/request/show/203703 .

Comment 6 Tim Hardeck 2013-10-21 11:34:27 UTC

Updated submit requests with 2013.60 for 12.3
https://build.opensuse.org/request/show/204118 and 13.1
https://build.opensuse.org/request/show/204119 .

Comment 7 Tim Hardeck 2013-10-22 15:33:53 UTC

The SRs were accepted.

Comment 8 Swamp Workflow Management 2013-10-31 15:04:31 UTC

openSUSE-SU-2013:1616-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 845306
CVE References: CVE-2013-4421,CVE-2013-4434
Sources used:
openSUSE 12.3 (src):    dropbear-2013.60-7.4.1

Comment 9 Swamp Workflow Management 2013-11-15 18:08:05 UTC

openSUSE-SU-2013:1696-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 845306
CVE References: CVE-2013-4421,CVE-2013-4434
Sources used:
openSUSE 13.1 (src):    dropbear-2013.60-2.4.1