github mkj/dropbear DROPBEAR_2025.89
Dropbear 2025.89
on GitHub

23 hours ago

Download tarballs from
https://matt.ucc.asn.au/dropbear/releases/dropbear-2025.89.tar.bz2 or
https://dropbear.nl/mirror/releases/dropbear-2025.89.tar.bz2
The tarball is reproducible from git with release.sh

  • Security: Avoid privilege escalation via unix stream forwarding in Dropbear
    server. Other programs on a system may authenticate unix sockets via
    SO_PEERCRED, which would be root user for Dropbear forwarded connections,
    allowing root privilege escalation.
    Reported by Turistu, and thanks for advice on the fix.
    This is tracked as CVE-2025-14282, and affects 2024.84 to 2025.88.

    It is fixed by dropping privileges of the dropbear process after
    authentication. Unix stream sockets are now disallowed when a
    forced command is used, either with authorized_key restrictions or
    "dropbear -c command".

    In previous affected releases running with "dropbear -j" (will also disable
    TCP fowarding) or building with localoptions.h/distrooptions.h
    "#define DROPBEAR_SVR_LOCALSTREAMFWD 0" is a mitigation.

  • Security: Include scp fix for CVE-2019-6111. This allowed
    a malicious server to overwrite arbitrary local files.
    The missing fix was reported by Ashish Kunwar.

  • Server dropping privileges post-auth is enabled by default. This requires
    setresgid() support, so some platforms such as netbsd or macos will have to
    disable DROPBEAR_SVR_DROP_PRIVS in localoptions.h. Unix stream forwarding is
    not available if DROPBEAR_SVR_DROP_PRIVS is disabled.

    Remote server TCP socket forwarding will now use OS privileged port
    restrictions rather than having a fixed "allow >=1024 for non-root" rule.

    A future release may implement privilege dropping for netbsd/macos.

  • Fix a regression in 2025.87 when RSA and DSS are not built. This would lead
    to a crash at startup with bad_bufptr().
    Reported by Dani Schmitt and Sebastian Priebe.

  • Don't limit channel window to 500MB. That is could cause stuck connections
    if peers advise a large window and don't send an increment within 500MB.
    Affects SSH.NET sshnet/SSH.NET#1671
    Reported by Rob Hague.

  • Ignore -g -s when passwords arent enabled. Patch from Norbert Lange.
    Ignore -m (disable MOTD), -j/-k (tcp forwarding) when not enabled.

  • Report SIGBUS and SIGTRAP signals. Patch from Loïc Mangeonjean.

  • Fix incorrect server auth delay. Was meant to be 250-350ms, it was actually
    150-350ms or possibly negative (zero). Reported by pickaxprograms.

  • Fix building without public key options. Thanks to Konstantin Demin

  • Fix building with proxycmd but without netcat. Thanks to Konstantin Demin

  • Fix incorrect path documentation for distrooptions, thanks to Todd Zullinger

  • Fix SO_REUSEADDR for TCP tests, reported by vt-alt.

Check out latest releases or
releases around mkj/dropbear DROPBEAR_2025.89

Don't miss a new dropbear release

NewReleases is sending notifications on new releases.

Get notifications