User enumeration in Dropbear 2018.76 and earlier

Matt Johnston matt at
Thu Aug 23 23:50:29 AWST 2018

On Mon 20/8/2018, at 11:55 pm, Matt Johnston <matt at> wrote:
> I can confirm Dropbear has the same problem, probably all versions. I should have a patch in the next couple of days.
> This allows someone to remotely know whether a particular username exists or not on a server. In some circumstances that could be a problem, though by itself it doesn't allow exploitation of a server.

This should be fixed by , a CVE number is CVE-2018-15599


-------------- next part --------------
An HTML attachment was scrubbed...

More information about the Dropbear mailing list