Dropbear 2019.77

[Matt Johnston]

Hi all,

At long last Dropbear 2019.77 is released. Most changes are
bug fixes, with a few small features. There are security
fixes to avoid revealing the existence of valid usernames.

This release also merges the fuzzing branch. In a
normal build this should have no effect on operation.

There are a few larger changes that are ready to merge
that will have to wait for the next release - I wanted to
get this bugfix out of the way first.

Download at
https://matt.ucc.asn.au/dropbear/dropbear.html
mirror
https://dropbear.nl/mirror/dropbear.html

Cheers,
Matt

2019.77 - 23 March 2019

- Fix server -R option with ECDSA - only advertise one key size which will be accepted.
  Reported by Peter Krefting, 2018.76 regression.

- Fix server regression in 2018.76 where multiple client -R forwards were all forwarded 
  to the first destination. Reported by Iddo Samet.

- Make failure delay more consistent to avoid revealing valid usernames, set server password 
  limit of 100 characters. Problem reported by usd responsible disclosure team

- Change handling of failed authentication to avoid disclosing valid usernames,
  CVE-2018-15599. 

- Fix dbclient to reliably return the exit code from the remote server.
  Reported by W. Mike Petullo

- Fix export of 521-bit ECDSA keys, from Christian Hohnstädt

- Add -o Port=xxx option to work with sshfs, from xcko

- Merged fuzzing code, see FUZZER-NOTES.md

- Add a DROPBEAR_SVR_MULTIUSER=0 compile option to run on 
  single-user Linux kernels (CONFIG_MULTIUSER disabled). From Patrick Stewart

- Increase allowed username to 100 characters, reported by W. Mike Petullo

- Update config.sub and config.guess, should now work with RISC-V

- Cygwin compile fix from karel-m

- Don't require GNU sed (accidentally in 2018.76), reported by Samuel Hsu

- Fix for IRIX and writev(), reported by Kazuo Kuroi

- Other fixes and cleanups from François Perrad, Andre McCurdy, Konstantin Demin,
  Michael Jones, Pawel Rapkiewicz