Dropbear 2016.72
Matt Johnston
matt at ucc.asn.au
Thu Mar 10 20:59:03 AWST 2016
Hi all,
Dropbear SSH 2016.72 is released. This has a single change, a
security fix. If X11 forwarding is enabled a user could
bypass any "command=" restrictions in authorized_keys and run
any command as their own user (or perform other operations
allowed by the "xauth" binary such as writing files). It
does not affect systems where command= restrictions are not
used.
As usual downloads are at https://matt.ucc.asn.au/dropbear/dropbear.html
The patch is https://secure.ucc.asn.au/hg/dropbear/rev/a3e8389e01ff
Cheers,
Matt
2016.72 - 9 March 2016
- Validate X11 forwarding input. Could allow bypass of authorized_keys command= restrictions,
found by github.com/tintinweb. Thanks to Damien Miller for a patch.
More information about the Dropbear
mailing list