-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Tue, 16 Dec 2025 17:14:59 +0100
Source: dropbear
Architecture: source
Version: 2025.89-1
Distribution: unstable
Urgency: high
Maintainer: Guilhem Moulin <guilhem@debian.org>
Changed-By: Guilhem Moulin <guilhem@debian.org>
Closes: 1123069
Changes:
dropbear (2025.89-1) unstable; urgency=high
.
* New upstream security and bugfix release (closes: #1123069).
+ Fix CVE-2025-14282: Privilege escalation via unix stream forwarding in
Dropbear server. Other programs on a system may authenticate unix
sockets via SO_PEERCRED, which would be root user for Dropbear forwarded
connections, allowing root privilege escalation.
+ Unix stream sockets are now disallowed when a forced command is used,
either with authorized_key restrictions or "dropbear -c command".
+ The server now drops privileges of the dropbear process after
authentication.
+ Remote server TCP socket forwarding will now use OS privileged port
restrictions rather than having a fixed "allow >=1024 for non-root"
rule.
* d/control: Remove `Rules-Requires-Root: no`.
* d/s/lintian-overrides: Drop unused override.
* d/watch: Port to Version 5.
Checksums-Sha1:
39a8fa934c9f9c17484463fcf18e3102505bf1ab 2556 dropbear_2025.89-1.dsc
65a32c5de0041e65cf9ab6cc894a64e07ed31e47 2374006 dropbear_2025.89.orig.tar.bz2
759ece8f1c87edd16a9fc1531d7df74d46dd1ca2 833 dropbear_2025.89.orig.tar.bz2.asc
588ac6fe83b2423d87da741df50858c6e75c8380 35208 dropbear_2025.89-1.debian.tar.xz
7b191c6641aba21ef3bc7059f1bf18427b70eb79 5910 dropbear_2025.89-1_source.buildinfo
Checksums-Sha256:
2b2516f3fb5ff6a3371e031e990657c05b928287e29ae4aaa480c05799488832 2556 dropbear_2025.89-1.dsc
0d1f7ca711cfc336dc8a85e672cab9cfd8223a02fe2da0a4a7aeb58c9e113634 2374006 dropbear_2025.89.orig.tar.bz2
ef0ff9a8fe8e0b6c66892c9415f0d6e8e5676aac5a024ebcc43c2271d1c8f0d6 833 dropbear_2025.89.orig.tar.bz2.asc
39b54d8ab88741d76205f97e6ea562f0134325f7647bec55407df65d21506457 35208 dropbear_2025.89-1.debian.tar.xz
8312fecbe3be1935dd43b196b34211a0f78e7d842e90b75c7ce14819718a77b6 5910 dropbear_2025.89-1_source.buildinfo
Files:
c5c2ebce711f4428467e7dde531f1b44 2556 net optional dropbear_2025.89-1.dsc
2816ff711130f030daee12cbb10fd5ec 2374006 net optional dropbear_2025.89.orig.tar.bz2
1f0c0a79e8f024412072306eb221970e 833 net optional dropbear_2025.89.orig.tar.bz2.asc
ee3b4f2ea058938b24cf446f42d3e704 35208 net optional dropbear_2025.89-1.debian.tar.xz
74d2ee5c8282578c7d37169e1cd3f5f9 5910 net optional dropbear_2025.89-1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEERpy6p3b9sfzUdbME05pJnDwhpVIFAmlBivMACgkQ05pJnDwh
pVLOyw/+PJt2bPYOgl7CmYG6so8m/P5/WszDMn3BSUxwG0JzIezdflLysAVeyQsh
WDomNN7BEVtsw4fJL13NJV9qr1IkC9ZjQ3t/E3olmKgI5AgpbnXEnGoW/0i27hmZ
QOdpYWzKxyZRidf9EtuG/PjbFBIHOIb0wLpw9Yrwx+uOZRA8AZFhEfMY0yO2S4uI
IMA4KhQ/i40apyUorH64xkzO4YTxtU5bjPEw+WRTUIVg5yC60FJBGJSeXlCPcnGv
QM3WmnT3inebB0I1vS0IuTvr9sGOpZYURx7f7mCDet9t24hIfJMWvN95/qctGSXP
Ydi/745CnqDrE6V96aKNG8Ez0Gx791LsZ/jqoQGqRLUDqQ6S2w+VinNd7kP4siT8
QlFkDR8OgGvZKok4uuhICTYcGbIeFKb3jFpTsRmuHnG63zbDZqsoZgSUMJuNdq3p
zRT6wCgMTMfe4DfvEN1HISXHuwxOaCKDVgwCrT3mZIVjB386C5xKdO4RCr7Ppxhe
54jG574e8NyzSa0gLLWVy1NzQ9TtmHDERCdkZAamykqUDW/iZvzZujUDBGReUQgI
0VpO58gHEoDePCb+awpmbOK8/fVQyReIR2WpTOP2We2vxWlVVJAcCbrSDivyPDfp
30ZLVEZyNoSidkzJCTdtytLYgWiWWrecAE/FYGF5g60ErUyAapM=
=3/hq
-----END PGP SIGNATURE-----
Attachment:
pgpU5ZzB0Kcub.pgp
Description: PGP signature