openwrtv3/package/network/services
Jo-Philipp Wich 4e8c6f3407 dropbear: security update to 2016.74
- Security: Message printout was vulnerable to format string injection.

  If specific usernames including "%" symbols can be created on a system
  (validated by getpwnam()) then an attacker could run arbitrary code as root
  when connecting to Dropbear server.

  A dbclient user who can control username or host arguments could potentially
  run arbitrary code as the dbclient user. This could be a problem if scripts
  or webpages pass untrusted input to the dbclient program.

- Security: dropbearconvert import of OpenSSH keys could run arbitrary code as
  the local dropbearconvert user when parsing malicious key files

- Security: dbclient could run arbitrary code as the local dbclient user if
  particular -m or -c arguments are provided. This could be an issue where
  dbclient is used in scripts.

- Security: dbclient or dropbear server could expose process memory to the
  running user if compiled with DEBUG_TRACE and running with -v

  The security issues were reported by an anonymous researcher working with
  Beyond Security's SecuriTeam Secure Disclosure www.beyondsecurity.com/ssd.html

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2016-08-12 11:45:47 +02:00
..
authsae packages: prefer http over git for git protocol 2016-06-22 19:32:06 +02:00
dnsmasq dnsmasq: drop --interface and --except-interface options when the interface cannot be found 2016-07-29 20:58:14 +02:00
dropbear dropbear: security update to 2016.74 2016-08-12 11:45:47 +02:00
ead treewide: replace nbd@openwrt.org with nbd@nbd.name 2016-06-07 08:58:42 +02:00
hostapd hostapd: Allow RADIUS accounting without 802.1x 2016-08-11 10:45:33 +02:00
igmpproxy igmpproxy: remove procd_open_trigger/procd_close_trigger calls 2016-07-29 16:41:09 +02:00
ipset-dns treewide: replace jow@openwrt.org with jo@mein.io 2016-06-07 11:42:52 +02:00
lldpd lldpd: Use /etc/os-release instead of /etc/openwrt_* 2016-06-27 15:16:01 +02:00
mdns package/*: update git urls for project repos 2016-06-13 22:51:41 +02:00
odhcpd packages: prefer http over git for git protocol 2016-06-22 19:32:06 +02:00
omcproxy omcproxy: fix PKG_LICENSE string 2015-10-26 09:01:48 +00:00
openvpn openvpn: fix missing cipher list for polarssl in v2.3.11 2016-06-28 10:47:22 +02:00
openvpn-easy-rsa packages: remove uneeded PKG_BUILD_DIR overrides 2015-02-22 01:31:21 +00:00
ppp treewide: replace jow@openwrt.org with jo@mein.io 2016-06-07 11:42:52 +02:00
relayd package/*: update git urls for project repos 2016-06-13 22:51:41 +02:00
samba36 samba36: avoid picking up a dependency on libunwind (fixes GH #212) 2016-07-21 17:33:17 +02:00
uhttpd uhttpd: update to the latest version, adds some extensions to handler script support 2016-06-16 19:00:16 +02:00