Danny Fullerton discovered a use-after-free in the Dropbear SSH daemon, resulting in potential execution of arbitrary code. Exploitation is limited to users, who have been authenticated through public key authentication and for which command restrictions are in place.

For the stable distribution (squeeze), this problem has been fixed in version 0.52-5+squeeze1. For the testing distribution (wheezy), this problem has been fixed in version 2012.55-1. For the unstable distribution (sid), this problem has been fixed in version 2012.55-1. We recommend that you upgrade your dropbear packages.

dropbear is a SSH 2 server and client designed to be small enough to be used in small memory environments, while still being functional and secure enough for general use.

dropbear on Debian Linux

This check tests the installed software version using the apt package manager.

• http://www.debian.org/security/2012/dsa-2456.html

---

Updated on 2015-03-25