---
- branch: MAIN
  date: Thu Nov  9 19:00:25 UTC 2017
  files:
  - new: '1.34'
    old: '1.33'
    path: pkgsrc/security/dropbear/Makefile
    pathrev: pkgsrc/security/dropbear/Makefile@1.34
    type: modified
  - new: '1.25'
    old: '1.24'
    path: pkgsrc/security/dropbear/distinfo
    pathrev: pkgsrc/security/dropbear/distinfo@1.25
    type: modified
  id: 20171109T190025Z.73c4fb3b48ad67719ecbe2cf60d155dcdc3f2b56
  log: "dropbear: update to 2017.75\n\nChanges:\n- Security: Fix double-free in server
    TCP listener cleanup\n  A double-free in the server could be triggered by an authenticated\n
    \ user if dropbear is running with -a (Allow connections to forwarded\n  ports
    from any host)\n  This could potentially allow arbitrary code execution as root
    by an\n  authenticated user.  Affects versions 2013.56 to 2016.74. Thanks to\n
    \ Mark Shepard for reporting the crash.\n  CVE-2017-9078 https://secure.ucc.asn.au/hg/dropbear/rev/c8114a48837c\n\n-
    Security: Fix information disclosure with ~/.ssh/authorized_keys\n  symlink.  Dropbear
    parsed authorized_keys as root, even if it were\n  a symlink. The fix is to switch
    to user permissions when opening\n  authorized_keys\n\n  A user could symlink
    their ~/.ssh/authorized_keys to a root-owned\n  file they couldn't normally read.
    If they managed to get that file\n  to contain valid authorized_keys with command=
    options it might be\n  possible to read other contents of that file.\n  This information
    disclosure is to an already authenticated user.\n  Thanks to Jann Horn of Google
    Project Zero for reporting this.\n  CVE-2017-9079 https://secure.ucc.asn.au/hg/dropbear/rev/0d889b068123\n\n-
    Generate hostkeys with dropbearkey atomically and flush to disk with\n  fsync.
    Thanks to Andrei Gherzan for a patch.\n\n- Fix out of tree builds with bundled
    libtom\n  Thanks to Henrik Nordstræ\x97¦m and Peter Krefting for patches.\n"
  module: pkgsrc
  subject: 'CVS commit: pkgsrc/security/dropbear'
  unixtime: '1510254025'
  user: snj