[OE-core] CVE-2016-3116: dropbear: X11 forwarding input not validated properly
Alexander Kanavin
alexander.kanavin at linux.intel.com
Wed Sep 14 09:06:59 UTC 2016
On 09/14/2016 11:49 AM, Sona Sarmadi wrote:
> https://matt.ucc.asn.au/dropbear/CHANGES
> .....
> 2016.72 - 9 March 2016 <<<<<<< dropbear version this CVE has been fixed
> - Validate X11 forwarding input. Could allow bypass of authorized_keys command= restrictions,
> found by github.com/tintinweb. Thanks for Damien Miller for a patch. CVE-2016-3116
>
> 2015.71 - 3 December 2015 <<<< dropbear version in krogoth
It's *probably* this one. The commit messages in dropbear repository are
*amazingly* vague and unprofessional.
https://secure.ucc.asn.au/hg/dropbear/rev/a3e8389e01ff
That said, I vote for updating to the version that comes with the fix.
Backporting fixes should not be the default in the stable yocto
releases; we should trust the upstream more.
Alex
More information about the Openembedded-core
mailing list