[OE-core] CVE-2016-3116: dropbear: X11 forwarding input not validated properly
Sona Sarmadi
sona.sarmadi at enea.com
Wed Sep 14 08:49:31 UTC 2016
Hi guys,
I need your advice how to address this CVE in krogoth (master is not affected)
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3116
I couldn't find a patch for this specific CVE in dropbear git or somewhere else, if we want to address this issue it seems that we need to update the dropbear version in krogoth to "2016.72". Is this ok?
Dropbear version in krogoth is 2015.71:
http://git.yoctoproject.org/cgit/cgit.cgi/poky/tree/meta/recipes-core/dropbear?h=krogoth
dropbear_2015.71.bb
https://matt.ucc.asn.au/dropbear/CHANGES
.....
2016.72 - 9 March 2016 <<<<<<< dropbear version this CVE has been fixed
- Validate X11 forwarding input. Could allow bypass of authorized_keys command= restrictions,
found by github.com/tintinweb. Thanks for Damien Miller for a patch. CVE-2016-3116
2015.71 - 3 December 2015 <<<< dropbear version in krogoth
.....
Looking at dropbear git repo I see some more commits between these versions but CHANGES file doesn't mention this so probably these are minor changes.
Thanks
//Sona
More information about the Openembedded-core
mailing list