CVE-2012-0920

Publication date 5 June 2012

Last updated 24 July 2024

Ubuntu priority

Use-after-free vulnerability in Dropbear SSH Server 0.52 through 2012.54, when command restriction and public key authentication are enabled, allows remote authenticated users to execute arbitrary code and bypass command restrictions via multiple crafted command requests, related to “channels concurrency.”

Status

Show unmaintained releases

No maintained releases are affected by this CVE.

Package	Ubuntu Release	Status
dropbear	12.04 LTS precise	Fixed 2011.54-1ubuntu0.12.04.1
	11.10 oneiric	Fixed 0.53.1-1ubuntu1.1
	11.04 natty	Fixed 0.52-5+squeeze1build0.11.04.1
	10.04 LTS lucid	Fixed 0.52-4ubuntu0.10.04.1
	8.04 LTS hardy	Ignored end of life

Patch details

For informational purposes only. We recommend not to cherry-pick updates. How can I get the fixes?

Package	Patch details
dropbear	Upstream: https://secure.ucc.asn.au/hg/dropbear/rev/818108bf7749 Debdiff: https://launchpad.net/bugs/976360

References

Other references

https://www.cve.org/CVERecord?id=CVE-2012-0920