From matt at ucc.asn.au Wed May 7 20:29:58 2025 From: matt at ucc.asn.au (Matt Johnston) Date: Wed, 7 May 2025 20:29:58 +0800 Subject: Dropbear 2025.88 Message-ID: Hi all, Dropbear 2025.88 is released. It has a few regression fixes from 2025.87, and a security fix applicable to users of dbclient where the hostname argument might be set from untrusted input. https://matt.ucc.asn.au/dropbear/ https://dropbear.nl/mirror/ Cheers, Matt 2025.88 - 7 May 2025 - Security: Don't allow dbclient hostname arguments to be interpreted by the shell. dbclient hostname arguments with a comma (for multihop) would be passed to the shell which could result in running arbitrary shell commands locally. That could be a security issue in situations where dbclient is passed untrusted hostname arguments. Now the multihop command is executed directly, no shell is involved. Thanks to Marcin Nowak for the report, tracked as CVE-2025-47203 - Fix compatibility for htole64 and htole32, regression in 2025.87 Patch from Peter Fichtner to work with old GCC versions, and patch from Matt Robinson to check different header files. - Fix building on older compilers or libc that don't support static_assert(). Regression in 2025.87 - Support ~R in the client to force a key re-exchange. - Improve strict KEX handling. Dropbear previously would allow other packets at the end of key exchange prior to receiving the remote peer's NEWKEYS message, which should be forbidden by strict KEX. Reported by Fabian B?umer. From s.gottschall at dd-wrt.com Wed May 7 21:34:55 2025 From: s.gottschall at dd-wrt.com (Sebastian Gottschall) Date: Wed, 7 May 2025 15:34:55 +0200 Subject: Dropbear 2025.88 In-Reply-To: References: Message-ID: <03a1fa2f-7791-4468-aff4-bc9b302cbd5f@dd-wrt.com> Forbidden You don't have permission to access this resource. Am 07.05.2025 um 14:29 schrieb Matt Johnston: > Hi all, > > Dropbear 2025.88 is released. It has a few regression fixes > from 2025.87, and a security fix applicable to users of > dbclient where the hostname argument might be set from > untrusted input. > > https://matt.ucc.asn.au/dropbear/ > https://dropbear.nl/mirror/ > > Cheers, > Matt > > 2025.88 - 7 May 2025 > > - Security: Don't allow dbclient hostname arguments to be interpreted > by the shell. > > dbclient hostname arguments with a comma (for multihop) would be > passed to the shell which could result in running arbitrary shell > commands locally. That could be a security issue in situations > where dbclient is passed untrusted hostname arguments. > > Now the multihop command is executed directly, no shell is involved. > Thanks to Marcin Nowak for the report, tracked as CVE-2025-47203 > > - Fix compatibility for htole64 and htole32, regression in 2025.87 > Patch from Peter Fichtner to work with old GCC versions, and > patch from Matt Robinson to check different header files. > > - Fix building on older compilers or libc that don't support > static_assert(). Regression in 2025.87 > > - Support ~R in the client to force a key re-exchange. > > - Improve strict KEX handling. Dropbear previously would allow other > packets at the end of key exchange prior to receiving the remote > peer's NEWKEYS message, which should be forbidden by strict KEX. > Reported by Fabian B?umer. > -------------- next part -------------- An HTML attachment was scrubbed... URL: From matt at ucc.asn.au Wed May 7 22:50:39 2025 From: matt at ucc.asn.au (Matt Johnston) Date: Wed, 07 May 2025 22:50:39 +0800 Subject: Dropbear 2025.88 In-Reply-To: <03a1fa2f-7791-4468-aff4-bc9b302cbd5f@dd-wrt.com> References: <03a1fa2f-7791-4468-aff4-bc9b302cbd5f@dd-wrt.com> Message-ID: Sorry, permissions should be fixed now. Matt On 7 May 2025 9:34:55 pm AWST, Sebastian Gottschall wrote: > > Forbidden > >You don't have permission to access this resource. > > >Am 07.05.2025 um 14:29 schrieb Matt Johnston: >> Hi all, >> >> Dropbear 2025.88 is released. It has a few regression fixes >> from 2025.87, and a security fix applicable to users of >> dbclient where the hostname argument might be set from >> untrusted input. >> >> https://matt.ucc.asn.au/dropbear/ >> https://dropbear.nl/mirror/ >> >> Cheers, >> Matt >> >> 2025.88 - 7 May 2025 >> >> - Security: Don't allow dbclient hostname arguments to be interpreted >> by the shell. >> >> dbclient hostname arguments with a comma (for multihop) would be >> passed to the shell which could result in running arbitrary shell >> commands locally. That could be a security issue in situations >> where dbclient is passed untrusted hostname arguments. >> >> Now the multihop command is executed directly, no shell is >involved. >> Thanks to Marcin Nowak for the report, tracked as CVE-2025-47203 >> >> - Fix compatibility for htole64 and htole32, regression in 2025.87 >> Patch from Peter Fichtner to work with old GCC versions, and >> patch from Matt Robinson to check different header files. >> >> - Fix building on older compilers or libc that don't support >> static_assert(). Regression in 2025.87 >> >> - Support ~R in the client to force a key re-exchange. >> >> - Improve strict KEX handling. Dropbear previously would allow other >> packets at the end of key exchange prior to receiving the remote >> peer's NEWKEYS message, which should be forbidden by strict KEX. >> Reported by Fabian B?umer. >> -------------- next part -------------- An HTML attachment was scrubbed... URL: