2025.88 changelog

Author: mkj

CHANGES

@@ -1,3 +1,30 @@
+2025.88 - 7 May 2025
+
+- Security: Don't allow dbclient hostname arguments to be interpreted
+  by the shell.
+
+  dbclient hostname arguments with a comma (for multihop) would be
+  passed to the shell which could result in running arbitrary shell
+  commands locally. That could be a security issue in situations
+  where dbclient is passed untrusted hostname arguments.
+
+  Now the multihop command is executed directly, no shell is involved.
+  Thanks to Marcin Nowak for the report, tracked as CVE-2025-47203
+
+- Fix compatibility for htole64 and htole32, regression in 2025.87
+  Patch from Peter Fichtner to work with old GCC versions, and
+  patch from Matt Robinson to check different header files.
+
+- Fix building on older compilers or libc that don't support
+  static_assert(). Regression in 2025.87
+
+- Support ~R in the client to force a key re-exchange.
+
+- Improve strict KEX handling. Dropbear previously would allow other
+  packets at the end of key exchange prior to receiving the remote
+  peer's NEWKEYS message, which should be forbidden by strict KEX.
+  Reported by Fabian Bäumer.
+
 2025.87 - 5 March 2025
 
 Note >> for compatibility/configuration changes

debian/changelog

@@ -1,3 +1,9 @@
+dropbear (2025.88-0.1) unstable; urgency=low
+
+  * New upstream release.
+
+ -- Matt Johnston <matt@ucc.asn.au>  Wed, 7 May 2025 22:51:57 +0800
+
 dropbear (2025.87-0.1) unstable; urgency=low
 
   * New upstream release.

src/sysoptions.h

@@ -4,7 +4,7 @@
  *******************************************************************/
 
 #ifndef DROPBEAR_VERSION
-#define DROPBEAR_VERSION "2025.87"
+#define DROPBEAR_VERSION "2025.88"
 #endif
 
 /* IDENT_VERSION_PART is the optional part after "SSH-2.0-dropbear". Refer to RFC4253 for requirements. */