Sicherheit: Zwei Probleme in Dropbear

Lesezeichen hinzufügen

This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--===============2865828606688567976==
Content-Language: en-US
Content-Type: multipart/signed; micalg=pgp-sha256;
protocol="application/pgp-signature";
boundary="------------ohg8x7htOWRvbdMsNFEcZkyC"

This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--------------ohg8x7htOWRvbdMsNFEcZkyC
Content-Type: multipart/mixed;
boundary="------------Z30qQO9AJ0hq0GNlFEjVhRYM";
protected-headers="v1"
From: Sudhakar Verma <sudhakar.verma@canonical.com>
Reply-To: Ubuntu Security <security@ubuntu.com>
To: ubuntu-security-announce@lists.ubuntu.com
Message-ID: <8762405c-d77f-4d04-ad77-14b9874e9d61@canonical.com>
Subject: [USN-7292-1] Dropbear vulnerabilities

--------------Z30qQO9AJ0hq0GNlFEjVhRYM
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: base64

==========================================================================
Ubuntu Security Notice USN-7292-1
February 25, 2025

Several security issues were fixed in Dropbear
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS

Summary:

Several security issues were fixed in dropbear.

Software Description:
- dropbear: lightweight SSH2 server and client

Details:

Manfred Kaiser discovered that Dropbear through 2020.81 does not properly
check the available authentication methods in the client-side SSH code.
An attacker could use this vulnerability to gain unauthorized access to
remote systems. (CVE-2021-36369)

Fabian Bäumer, Marcus Brinkmann, and Jörg Schwenk discovered that the SSH
transport protocol implementation in Dropbear had weak integrity checks.
An attacker could use this vulnerability to bypass security features
like encryption and integrity checks. (CVE-2023-48795)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 22.04 LTS
dropbear 2020.81-5ubuntu0.1
dropbear-bin 2020.81-5ubuntu0.1

Ubuntu 20.04 LTS
dropbear 2019.78-2ubuntu0.1~esm1
Available with Ubuntu Pro
dropbear-bin 2019.78-2ubuntu0.1~esm1
Available with Ubuntu Pro

Ubuntu 18.04 LTS
dropbear 2017.75-3ubuntu0.1~esm1
Available with Ubuntu Pro
dropbear-bin 2017.75-3ubuntu0.1~esm1
Available with Ubuntu Pro

In general, a standard system update will make all the necessary changes.

References:
https://ubuntu.com/security/notices/USN-7292-1
CVE-2021-36369, CVE-2023-48795

Package Information:
https://launchpad.net/ubuntu/+source/dropbear/2020.81-5ubuntu0.1
--------------Z30qQO9AJ0hq0GNlFEjVhRYM--

--------------ohg8x7htOWRvbdMsNFEcZkyC
Content-Type: application/pgp-signature; name="OpenPGP_signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="OpenPGP_signature.asc"

-----BEGIN PGP SIGNATURE-----

wsF5BAABCAAjFiEEcfvxe+flLQwqLJFE8LYUYLBMS1YFAme96JoFAwAAAAAACgkQ8LYUYLBMS1bF
dBAApAWhgwJnh59M14KAKQXcDczYKsPTNaBYb7+iFdq/5wSixrrU2wdqRelfgztKPnDn32MlM9S8
3le2eWcO2IgBErYsacgovYogg31M+MCTvwqr+79GuQ8v7PB0N7PbpthwdG5/HJUOLfgq90kmhPi4
v/msEjifrDlZHf9ySvZJl/iH7XE9BQlpphGMQ4ECoCt7qfy5RXSagWZ/eY+SKt0pUArTgeDk/vIx
8gEvqeLe/OCDDQFXCHPwI5vg1mg5DxD7ORHUW98N3bimS4V4ixZuD7t3ihcwyh/xydYsAG6ZuR+G
qzzrrtycOJILZ9FUUCELrdABrogasiEFa4FU6OyUrPOuKDiz1MIX9dXAnT6NQMlZ0wcXlOsA12EO
mL/EqFuBuHnD7wF3tAi/MVjCiXDmt6xht5T2l1pmnfuMT2GIwgHsEsBChjlYDfFRHtlIgZCfx+vZ
gXNl938D69y/81OfQZACpk4jVZzeE8vkWJH3qA1bEZC4vwop2OcwjOB7dG9bBa4PtLLMPBWwfyG3
5qBj9FErHGmfJ675jW4r6bMqjVqegQGCPrJEUA3oTouCsfLp35OomeVoVbxeNmS6Y9M6T03KqPHV
8FcgsTQzYEPLQZLKvAvtUOomguIzJ+qIgtI+wKSKqLuemFhrlOZxaKZ7G7DkAgXGzVAmmcW+hz7c
OfI=
=4d46
-----END PGP SIGNATURE-----

--------------ohg8x7htOWRvbdMsNFEcZkyC--

--===============2865828606688567976==
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: base64
Content-Disposition: inline

Cg==

--===============2865828606688567976==--