Advisories ยป MGASA-2017-0165

Updated dropbear packages fix security vulnerability

Publication date: 10 Jun 2017
Type: security
Affected Mageia releases : 5
CVE: CVE-2017-9078 , CVE-2017-9079

Description

A double-free in the server could be triggered by an authenticated user if
dropbear is running with -a (CVE-2017-9078). The default Mageia
configuration does not set -a, so is not vulnerable

Dropbear parsed authorized_keys as root, even if it were a symlink. The
fix is to switch to user permissions when opening authorized_keys
(CVE-2017-9079)
                

References

SRPMS

5/core