From: Richard Purdie <richard.purdie@linuxfoundation.org>
To: Alexander Kanavin <alexander.kanavin@linux.intel.com>,
openembedded-core@lists.openembedded.org
Subject: Re: CVE-2016-3116: dropbear: X11 forwarding input not validated properly
Date: Wed, 14 Sep 2016 10:43:08 +0100 [thread overview]
Message-ID: <1473846188.7207.57.camel@linuxfoundation.org> (raw)
In-Reply-To: <37af20ca-62f9-7308-0b97-6ba6c46dafb1@linux.intel.com>
On Wed, 2016-09-14 at 12:06 +0300, Alexander Kanavin wrote:
> On 09/14/2016 11:49 AM, Sona Sarmadi wrote:
> >
> > https://matt.ucc.asn.au/dropbear/CHANGES
> > .....
> > 2016.72 - 9 March 2016 <<<<<<< dropbear version this CVE has
> > been fixed
> > - Validate X11 forwarding input. Could allow bypass of
> > authorized_keys command= restrictions,
> > found by github.com/tintinweb. Thanks for Damien Miller for a
> > patch. CVE-2016-3116
> >
> > 2015.71 - 3 December 2015 <<<< dropbear version in krogoth
> It's *probably* this one. The commit messages in dropbear repository
> are
> *amazingly* vague and unprofessional.
>
> https://secure.ucc.asn.au/hg/dropbear/rev/a3e8389e01ff
>
> That said, I vote for updating to the version that comes with the
> fix.
> Backporting fixes should not be the default in the stable yocto
> releases; we should trust the upstream more.
Taking that argument to the extreme, we should update all versions in
the "stable" release to the latest to ensure we get all the fixes. At
that point, it becomes no different to master and its not the
definition of "stable" which most people want to use.
So whilst I do take the point and in some cases it does make sense, it
doesn't really make sense to have that as the default policy.
In this case, its a question of what else changed in dropbear between
these versions. Were there a ton of new features or was it just
bugfixes? How much risk of other problems is there?
Cheers,
Richard
next prev parent reply other threads:[~2016-09-14 9:43 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-09-14 8:49 CVE-2016-3116: dropbear: X11 forwarding input not validated properly Sona Sarmadi
2016-09-14 9:06 ` Alexander Kanavin
2016-09-14 9:43 ` Richard Purdie [this message]
2016-09-14 9:58 ` Alexander Kanavin
2016-09-14 10:24 ` Sona Sarmadi
2016-09-14 10:31 ` Alexander Kanavin
2016-09-14 20:19 ` akuster808
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1473846188.7207.57.camel@linuxfoundation.org \
--to=richard.purdie@linuxfoundation.org \
--cc=alexander.kanavin@linux.intel.com \
--cc=openembedded-core@lists.openembedded.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox