Arch Linux Security Advisory ASA-201603-19 ========================================== Severity: Medium Date : 2016-03-14 CVE-ID : CVE-2016-3116 Package : dropbear Type : command injection Remote : Yes Link : https://wiki.archlinux.org/index.php/CVE Summary ======= The package dropbear before version 2016.72-1 is vulnerable to command injection leading to information disclosure, directory traversal and possibly other impact. Resolution ========== Upgrade to 2016.72-1. # pacman -Syu "dropbear>=2016.72-1" The problem has been fixed upstream in version 2016.72. Workaround ========== Set X11Forwarding=no in sshd_config. This is the default. For authorized_keys that specify a "command" restriction, also set the "restrict" or "no-x11-forwarding" restrictions. Description =========== A vulnerability was found in a way dropbear processed X11 forwarding input. By using a specially crafted request, an attacker could bypass the authorized_keys command restrictions. xauth is run under the user's privilege, so this vulnerability offers no additional access to unrestricted accounts, but could circumvent key or account restrictions such as sshd_config ForceCommand, authorized_keys command="..." or restricted shells. Impact ====== A remote authenticated user who is able to request X11 forwarding can inject commands leading to information disclosure, directory traversal and possibly other impact. References ========== https://matt.ucc.asn.au/dropbear/CHANGES https://access.redhat.com/security/cve/CVE-2016-3116