Matthew Hall
2008-Jun-02 05:30 UTC
[Secure-testing-team] Bug#484055: dropbear should support openssh-blacklist-* integration
Package: dropbear Version: 0.51-1 Severity: normal Tags: security The dropbear server should include support for disallowing the usage of blacklisted SSH keys generated on systems which were vulnerable to DSA-1576-1 [1]. This support is included in openssh to protect the integrity of systems that have been updated to patch DSA-1576-1 [1]: <<This update contains a dependency on the openssl update and will automatically install a corrected version of the libssl0.9.8 package, and a new package openssh-blacklist. Once the update is applied, weak user keys will be automatically rejected where possible (though they cannot be detected in all cases). If you are using such keys for user authentication, they will immediately stop working and will need to be replaced.>> Please consider adding support for the openssh blacklist files to dropbear as well as a recommends dependency on the openssh blacklist files (preferably not mandatory dependency since dropbear is used in embedded environments in some cases). Thanks and Regards, Matthew Hall [1] http://www.debian.org/security/2008/dsa-1576 -- System Information: Debian Release: lenny/sid APT prefers unstable APT policy: (500, ''unstable'') Architecture: i386 (x86_64) Kernel: Linux 2.6.18.8-xen (SMP w/1 CPU core) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash Versions of packages dropbear depends on: ii libc6 2.7-11 GNU C Library: Shared libraries ii zlib1g 1:1.2.3.3.dfsg-12 compression library - runtime dropbear recommends no packages. -- no debconf information