github mkj/dropbear DROPBEAR_2026.90
Dropbear 2026.90
on GitHub

9 hours ago

Download tarballs from
https://matt.ucc.asn.au/dropbear/releases/dropbear-2026.90.tar.bz2 or
https://dropbear.nl/mirror/releases/dropbear-2026.90.tar.bz2
The tarball is reproducible from git with release.sh

  • Security: server: Fix ability to bypass an authorized_keys "forced_command"
    option by an authenticated user, if Dropbear is running with "-t" option.
    ("-t" is require both password and public key).
    c60db64
    Reported by Jeremy Brown

  • Security: server: Open authorized_keys non-blocking. This avoids getting stuck
    with special files, could allow denial of service from local users.
    8b57957
    Reported by Turistu

  • Security: scp: Add missed patch to fix CVE-2019-6111 allowing a malicious server
    to overwrite unexpected files.
    143291b
    Patch from OpenSSH, reported missing by Asim Viladi Oglu Manizada @manizada

    Note breaking change: "-r" is now disallowed when the target directory exists
    (an additional change in Dropbear's version). If that's required an alternative
    such as rsync could be used.
    61bd0e3

  • Security: scp: Clear setuid/setgid bits on received files.
    443ccc1
    Patch from OpenSSH, tracked as CVE-2026-35385

  • Security: client/server: Fix close() of a file descriptor from an out-of-bounds
    read. This seems dificult to exploit but may have unforseen effects.
    067fd38
    Reported by Ankit Singh and @j499261162

  • server: Add unix stream forwarding listener support (-R from the client)
    Patch from Brian Dentino @bdentino

  • server: Add -M argument for maximum session duration.
    Github PR #409 from Martin Schiller

  • server: Add permitlisten authorized_keys option
    This allows limiting to a specific port.
    Github PR #384 from Mitar

  • rsa: keys generated with dropbearkey 0.32 or earlier are no longer supported,
    0.33 was released in 2003. RSA exponent blinding is implemented to reduce a
    cache timing side channel. Side channel reported by Ciaran Mullan.

  • server: Limit the number of public key queries to 15.
    This is a mitigation against internet-wide scanning of hosts for public keys.
    It doesn't provide much mitigation against targeted enumeration on a
    server, in that case public keys should not be treated as private.
    Reported by HD Moore, details are in the SSHamble presentation.

  • server: Disallow client-sent signals when there is a forced command.
    Some programs could have unexpected handling.
    Reported by HD Moore in SSHamble presentation.

  • client: Don't attempt PTY requests for non-TTYs.
    Github issue #385

  • server: Don't allow client-sent signals when Dropbear is built with
    DROPBEAR_SVR_DROP_PRIVS = 0

  • server: Fix closing TCP remote listeners. This has never worked properly.
    Github PR #414

  • server: Improve protocol correctness sending replies to tcpip forward
    requests (-L from the client)

  • Fix some timeouts being delayed. Github PR #318

  • Improve manpage documentation for forced commands

  • Fix distclean of config.h and libtom*/Makefile

  • Add curve25519 checks required by rfc8032. These have no effect on SSH protocol
    security.

  • Fix "ssh-connection" check, reported by Turistu in Github #397.
    Has no effect on program function.

Check out latest releases or
releases around mkj/dropbear DROPBEAR_2026.90

Don't miss a new dropbear release

NewReleases is sending notifications on new releases.

Get notifications