D11400.id30191.diff
No OneTemporary
Actions

Size

6 KB

Referenced Files

None

Subscribers

None

D11400.id30191.diff
View Options

	Index: security/dropbear/Makefile
	===================================================================
	--- security/dropbear/Makefile
	+++ security/dropbear/Makefile
	@@ -2,7 +2,7 @@
	# $FreeBSD$

	PORTNAME= dropbear
	-PORTVERSION= 2016.74
	+PORTVERSION= 2017.75
	CATEGORIES= security ipv6
	MASTER_SITES= http://matt.ucc.asn.au/dropbear/releases/

	@@ -19,8 +19,39 @@

	USE_RC_SUBR= ${PORTNAME}

	-OPTIONS_DEFINE= STATIC
	+OPTIONS_DEFINE= DH_GROUP1 SMALL_CODE STATIC
	+OPTIONS_DEFAULT= AES128 AES256 CTR RSA SHA2_256 SHA2_512 SMALL_CODE TWOFISH128 TWOFISH256
	+OPTIONS_MULTI= ENC KEY MAC MODE
	+OPTIONS_MULTI_ENC= AES128 3DES AES256 BLOWFISH TWOFISH256 TWOFISH128
	+OPTIONS_MULTI_MODE= CBC CTR
	+OPTIONS_MULTI_KEY= ECDSA DSA RSA
	+OPTIONS_MULTI_MAC= MD5 SHA1 SHA1_96 SHA2_256 SHA2_512

	+3DES_DESC= Enable 3DES-based encryption
	+3DES_IMPLIES= CTR
	+AES128_DESC= Enable AES128-based encryption
	+AES256_DESC= Enable AES256-based encryption
	+TWOFISH128_DESC= Enable Twofish128-based encryption
	+TWOFISH256_DESC= Enable Twofish256-based encryption
	+BLOWFISH_DESC= Enable Blowfish-based encryption
	+
	+DH_GROUP1_DESC= Enable Group1 Diffie-Hellman (less secure)
	+
	+CBC_DESC= Use CBC mode for ciphers (less secure)
	+CTR_DESC= Use CTR mode for ciphers (more secure)
	+
	+ECDSA_DESC= Enable ECDSA public key support
	+DSA_DESC= Enable DSA public key support
	+RSA_DESC= Enable RSA public key support
	+
	+MD5_DESC= Enable MD5 MAC (broken)
	+SHA1_DESC= Enable SHA1 MAC (less secure)
	+SHA1_96_DESC= Enable SHA1_96 MAC (less secure)
	+SHA2_256_DESC= Enable SHA2_256 MAC
	+SHA2_512_DESC= Enable SHA2_512 MAC
	+
	+SMALL_CODE_DESC= Make binary smaller in exchange for 50% performance hit
	+
	STATIC_LDFLAGS= -static

	post-patch:
	@@ -29,6 +60,78 @@
	@${REINPLACE_CMD} -e "s,sys/dir.h,dirent.h," ${WRKSRC}/*.[ch]
	@${REINPLACE_CMD} -e "s,make clean,\$${MAKE} clean," \
	${WRKSRC}/libtomcrypt/Makefile.in
	+
	+post-patch-SMALL_CODE-off:
	+ @${REINPLACE_CMD} -e "s,#define DROPBEAR_SMALL_CODE,/#define DROPBEAR_SMALL_CODE/,g" \
	+ ${WRKSRC}/options.h
	+
	+post-patch-3DES-off:
	+ @${REINPLACE_CMD} -e "s,#define DROPBEAR_3DES,/#define DROPBEAR_3DES/,g" \
	+ ${WRKSRC}/options.h
	+
	+post-patch-AES128-off:
	+ @${REINPLACE_CMD} -e "s,#define DROPBEAR_AES128,/#define DROPBEAR_AES128/,g" \
	+ ${WRKSRC}/options.h
	+
	+post-patch-AES256-off:
	+ @${REINPLACE_CMD} -e "s,#define DROPBEAR_AES256,/#define DROPBEAR_AES256/,g" \
	+ ${WRKSRC}/options.h
	+
	+post-patch-TWOFISH256-off:
	+ @${REINPLACE_CMD} -e "s,#define DROPBEAR_TWOFISH256,/#define DROPBEAR_TWOFISH256/,g" \
	+ ${WRKSRC}/options.h
	+
	+post-patch-TWOFISH128-off:
	+ @${REINPLACE_CMD} -e "s,#define DROPBEAR_TWOFISH128,/#define DROPBEAR_TWOFISH128/,g" \
	+ ${WRKSRC}/options.h
	+
	+post-patch-BLOWFISH-on:
	+ @${REINPLACE_CMD} -e "s,/\#define DROPBEAR_BLOWFISH\/,#define DROPBEAR_BLOWFISH,g" \
	+ ${WRKSRC}/options.h
	+
	+post-patch-CBC-off:
	+ @${REINPLACE_CMD} -e "s,#define DROPBEAR_ENABLE_CBC_MODE,/#define DROPBEAR_ENABLE_CBC_MODE/,g" \
	+ ${WRKSRC}/options.h
	+
	+post-patch-CTR-off:
	+ @${REINPLACE_CMD} -e "s,#define DROPBEAR_ENABLE_CTR_MODE,/#define DROPBEAR_ENABLE_CTR_MODE/,g" \
	+ ${WRKSRC}/options.h
	+
	+post-patch-DH_GROUP1-off:
	+ @${REINPLACE_CMD} -e "s,#define DROPBEAR_DH_GROUP1 1,/#define DROPBEAR_DH_GROUP1 1/,g" \
	+ ${WRKSRC}/options.h
	+
	+post-patch-DSA-off:
	+ @${REINPLACE_CMD} -e "s,#define DROPBEAR_DSS,/#define DROPBEAR_DSS/,g" \
	+ ${WRKSRC}/options.h
	+
	+post-patch-RSA-off:
	+ @${REINPLACE_CMD} -e "s,#define DROPBEAR_RSA,/#define DROPBEAR_RSA/,g" \
	+ ${WRKSRC}/options.h
	+
	+post-patch-ECDSA-off:
	+ @${REINPLACE_CMD} -e "s,#define DROPBEAR_ECDSA,/#define DROPBEAR_ECDSA/,g" \
	+ ${WRKSRC}/options.h
	+
	+post-patch-MD5-off:
	+ @${REINPLACE_CMD} -e "s,#define DROPBEAR_MD5_HMAC,/#define DROPBEAR_MD5_HMAC/,g" \
	+ ${WRKSRC}/options.h
	+
	+post-patch-SHA1-off:
	+ @${REINPLACE_CMD} -e "s,#define DROPBEAR_SHA1_HMAC,/#define DROPBEAR_SHA1_HMAC/,g" \
	+ ${WRKSRC}/options.h
	+
	+post-patch-SHA1_96-off:
	+ @${REINPLACE_CMD} -e "s,#define DROPBEAR_SHA1_96_HMAC,/#define DROPBEAR_SHA1_96_HMAC/,g" \
	+ ${WRKSRC}/options.h
	+
	+post-patch-SHA2_256-off:
	+ @${REINPLACE_CMD} -e "s,#define DROPBEAR_SHA2_256_HMAC,/#define DROPBEAR_SHA2_256_HMAC/,g" \
	+ ${WRKSRC}/options.h
	+
	+post-patch-SHA2_512-off:
	+ @${REINPLACE_CMD} -e "s,#define DROPBEAR_SHA2_512_HMAC,/#define DROPBEAR_SHA2_512_HMAC/,g" \
	+ ${WRKSRC}/options.h

	do-install:
	@${MKDIR} ${STAGEDIR}${PREFIX}/etc/dropbear
	Index: security/dropbear/distinfo
	===================================================================
	--- security/dropbear/distinfo
	+++ security/dropbear/distinfo
	@@ -1,3 +1,3 @@
	-TIMESTAMP = 1469201269
	-SHA256 (dropbear-2016.74.tar.bz2) = 2720ea54ed009af812701bcc290a2a601d5c107d12993e5d92c0f5f81f718891
	-SIZE (dropbear-2016.74.tar.bz2) = 1622234
	+TIMESTAMP = 1497947793
	+SHA256 (dropbear-2017.75.tar.bz2) = 6cbc1dcb1c9709d226dff669e5604172a18cf5dbf9a201474d5618ae4465098c
	+SIZE (dropbear-2017.75.tar.bz2) = 1623392
	Index: security/vuxml/vuln.xml
	===================================================================
	--- security/vuxml/vuln.xml
	+++ security/vuxml/vuln.xml
	@@ -58,6 +58,41 @@
	* Do not forget port variants (linux-f10-libxml2, libxml2, etc.)
	-->
	<vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">
	+ <vuln vid="60931f98-55a7-11e7-8514-589cfc0654e1">
	+ <topic>Dropbear -- two vulnerabilities</topic>
	+ <affects>
	+ <package>
	+ <name>dropbear</name>
	+ <range><lt>2017.75</lt></range>
	+ </package>
	+ </affects>
	+ <description>
	+ <body xmlns="http://www.w3.org/1999/xhtml">
	+ <p>Matt Johnston reports:</p>
	+ <blockquote cite="https://matt.ucc.asn.au/dropbear/CHANGES">
	+ <p>Fix double-free in server TCP listener cleanup A double-free in
	+ the server could be triggered by an authenticated user if dropbear
	+ is running with -a (Allow connections to forwarded ports from any
	+ host) This could potentially allow arbitrary code execution as root
	+ by an authenticated user.</p>
	+ <p>Fix information disclosure with ~/.ssh/authorized_keys symlink.
	+ Dropbear parsed authorized_keys as root, even if it were a symlink.
	+ The fix is to switch to user permissions when opening authorized_keys.
	+ </p>
	+ </blockquote>
	+ </body>
	+ </description>
	+ <references>
	+ <url>https://matt.ucc.asn.au/dropbear/CHANGES</url>
	+ <cvename>CVE-2017-9078</cvename>
	+ <cvename>CVE-2017-9079</cvename>
	+ </references>
	+ <dates>
	+ <discovery>2017-05-18</discovery>
	+ <entry>2017-06-28</entry>
	+ </dates>
	+ </vuln>
	+
	<vuln vid="8c1a271d-56cf-11e7-b9fe-c13eb7bcbf4f">
	<topic>exim -- Privilege escalation via multiple memory leaks</topic>
	<affects>

File Metadata

Mime Type: text/plain
Expires: Sat, Mar 21, 10:33 AM (4 h, 14 m)
Storage Engine: blob
Storage Format: Raw Data
Storage Handle: 30051836
Default Alt Text: D11400.id30191.diff (6 KB)

D11400.id30191.diffNo OneTemporaryActions

D11400.id30191.diffView Options

File Metadata

Event Timeline

D11400.id30191.diff
No OneTemporary
Actions

D11400.id30191.diff
View Options