|
| 1 | +2025.89 - 16 December 2025 |
| 2 | + |
| 3 | +- Security: Avoid privilege escalation via unix stream forwarding in Dropbear |
| 4 | + server. Other programs on a system may authenticate unix sockets via |
| 5 | + SO_PEERCRED, which would be root user for Dropbear forwarded connections, |
| 6 | + allowing root privilege escalation. |
| 7 | + Reported by Turistu, and thanks for advice on the fix. |
| 8 | + This is tracked as CVE-2025-14282, and affects 2024.84 to 2025.88. |
| 9 | + |
| 10 | + It is fixed by dropping privileges of the dropbear process after |
| 11 | + authentication. Unix stream sockets are now disallowed when a |
| 12 | + forced command is used, either with authorized_key restrictions or |
| 13 | + "dropbear -c command". |
| 14 | + |
| 15 | + In previous affected releases running with "dropbear -j" (will also disable |
| 16 | + TCP fowarding) or building with localoptions.h/distrooptions.h |
| 17 | + "#define DROPBEAR_SVR_LOCALSTREAMFWD 0" is a mitigation. |
| 18 | + |
| 19 | +- Security: Include scp fix for CVE-2019-6111. This allowed |
| 20 | + a malicious server to overwrite arbitrary local files. |
| 21 | + The missing fix was reported by Ashish Kunwar. |
| 22 | + |
| 23 | +- Server dropping privileges post-auth is enabled by default. This requires |
| 24 | + setresgid() support, so some platforms such as netbsd or macos will have to |
| 25 | + disable DROPBEAR_SVR_DROP_PRIVS in localoptions.h. Unix stream forwarding is |
| 26 | + not available if DROPBEAR_SVR_DROP_PRIVS is disabled. |
| 27 | + |
| 28 | + Remote server TCP socket forwarding will now use OS privileged port |
| 29 | + restrictions rather than having a fixed "allow >=1024 for non-root" rule. |
| 30 | + |
| 31 | + A future release may implement privilege dropping for netbsd/macos. |
| 32 | + |
| 33 | +- Fix a regression in 2025.87 when RSA and DSS are not built. This would lead |
| 34 | + to a crash at startup with bad_bufptr(). |
| 35 | + Reported by Dani Schmitt and Sebastian Priebe. |
| 36 | + |
| 37 | +- Don't limit channel window to 500MB. That is could cause stuck connections |
| 38 | + if peers advise a large window and don't send an increment within 500MB. |
| 39 | + Affects SSH.NET https://github.com/sshnet/SSH.NET/issues/1671 |
| 40 | + Reported by Rob Hague. |
| 41 | + |
| 42 | +- Ignore -g -s when passwords arent enabled. Patch from Norbert Lange. |
| 43 | + Ignore -m (disable MOTD), -j/-k (tcp forwarding) when not enabled. |
| 44 | + |
| 45 | +- Report SIGBUS and SIGTRAP signals. Patch from Loïc Mangeonjean. |
| 46 | + |
| 47 | +- Fix incorrect server auth delay. Was meant to be 250-350ms, it was actually |
| 48 | + 150-350ms or possibly negative (zero). Reported by pickaxprograms. |
| 49 | + |
| 50 | +- Fix building without public key options. Thanks to Konstantin Demin |
| 51 | + |
| 52 | +- Fix building with proxycmd but without netcat. Thanks to Konstantin Demin |
| 53 | + |
| 54 | +- Fix incorrect path documentation for distrooptions, thanks to Todd Zullinger |
| 55 | + |
| 56 | +- Fix SO_REUSEADDR for TCP tests, reported by vt-alt. |
| 57 | + |
1 | 58 | 2025.88 - 7 May 2025 |
2 | 59 |
|
3 | 60 | - Security: Don't allow dbclient hostname arguments to be interpreted |
|
0 commit comments