SB2017061387 - Information disclosure in dropbear (Alpine package)
Published: June 13, 2017
Security Bulletin ID
SB2017061387
Severity
Low
Patch available
YES
Number of vulnerabilities
1
Exploitation vector
Local access
Highest impact
Information disclosure
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 security vulnerability.
1) Information disclosure (CVE-ID: CVE-2017-9079)
The vulnerability allows a local user to gain access to potentially sensitive information.
The vulnerability exists due to the application allows usage of symlinks when configured with authorized_keys file format and a command= option. A local user can read certain files on the system with root privileges.
Remediation
Install update from vendor's website.
References
- https://git.alpinelinux.org/aports/commit/?id=ea5e2a6272e38458c8d64e5cb59cfc089a5c9a93
- https://git.alpinelinux.org/aports/commit/?id=9ee60284bf43844b66bb000070cc8cff672140a1
- https://git.alpinelinux.org/aports/commit/?id=b204c902de27dc4e5e9efddb3dd9af012c70e268
- https://git.alpinelinux.org/aports/commit/?id=b798fc52c6aa85782652617ee817f26a9412f861