DescriptionThe dbclient and server in Dropbear SSH before 2016.74, when compiled with DEBUG_TRACE, allows local users to read process memory via the -v argument, related to a failed remote ident.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
NVD severitylow (attack range: local)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
dropbear (PTS)wheezy2012.55-1.3vulnerable
wheezy (security)2012.55-1.3+deb7u2vulnerable
jessie (security), jessie2014.65-1+deb8u2vulnerable
buster, sid2018.76-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs

Not an issue for the the Debian binary package since we do not
compile with DEBUG_TRACE.

Search for package or bug name: Reporting problems