pkgsrc-Changes archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

CVS commit: pkgsrc/security/dropbear



Module Name:    pkgsrc
Committed By:   adam
Date:           Tue Jul  7 08:27:23 UTC 2026

Modified Files:
        pkgsrc/security/dropbear: Makefile distinfo

Log Message:
dropbear: updated to 2026.92

2026.92 - 6 July 2026

Note >> for compatibility/configuration changes

- >> server auth plugins have been deprecated, the configure option
  has been renamed to --enable-plugin-deprecated.
  Planned to be removed in future.

- >> Two factor auth "-t" has been deprecated, it now requires
  a configuration option DEPRECATED_TWO_FACTOR.
  Planned to be removed in future.

- Security: server: Don't allow -B (accept blank password) with
  -t (two factor auth). If run with -t and -B a user configured with a
  blank password would be allowed to log in without pubkey auth.
  https://github.com/mkj/dropbear/commit/23ec78285639edf068d86bb96f91cba755039740
  Reported by nvidia

- Security: server: Fix parsing of long authorized_keys lines.
  The remainder of a long line would be handled as the start of a new line.
  In the case where external programs add semi-trusted public keys to
  authorized_keys, a crafted key might bypass restrictions such as "command=".
  https://github.com/mkj/dropbear/commit/8d8e1930b866eb44135ae393a793cbeb03b6b9d6
  Reported by nvidia

- >> authorized_keys is now limited to 300 lines.

- server: Prevent unbounded memory use that could be triggered by an
  authenticated peer. This would require waiting for the server to
  trigger a rekey, so after 8 hours or transferring 1GB data.
  Noticed while implementing Sunset SSH, also reported by nvidia

- >> all programs and scp: Disallow following symlinks when writing output
  files. This could prevent symlink attacks. Writing keys to an untrusted
  directory is not recommended regardless.

- server: "-o gatewayports=no" was treated as yes.

- server: Disallow -t multifactor with plugins.
  Plugin interactions with -t are not well tested, plugins may
  not correctly handle multiple successful authentications.
  Reported by nvidia

- server: ensure that authorized_keys "permitopen" values are valid
  ports. 0xffffffff (or signed equivalent) would be accepted as "any port".

- server: fix null pointer segfault when rejecting a stream forward.
  Found by oss-fuzz

- dropbearconvert: Fix out of bounds read. dropbearconvert would exit
  normally with an error, does not seem exploitable.
  Reported by Yiyi Wang, Tsinghua University

- dbclient: Fixed a 1 byte out of bounds write in ssh-askpass handling
  (not compiled by default)

- server: Increase pubkey query count. The limit added in
  Dropbear 2026.90 was intended to be 15, but it was only 10.
  Reported by Rui Salvaterra

- scp: escape terminal control codes from filenames printed by
  progress (SCPPROGRESS=1, disabled by default).
  Additional fix from Basavaraj S Maneppagol @basavaraj-sm05

- Fix sntrup/mlkem build on old platforms using debian/ directory
  packaging. Note that this isn't well maintained, it is better
  to use upstream Debian packaging if possible.

- Fix compile warning on 32 bit platforms in sntrup

- Suggest libcrypt-dev for crypt() in configure script if it's missing.

- Increase MAX_HOSTKEYS to 6, suggested by Darren Tucker.

- Allow DROPBEAR_ECC_256/384/521 to be specified in localoptions.h
  Patch from Felipe Moura

- Fix typo in missing hostname message, from Robin Neatherway


To generate a diff of this commit:
cvs rdiff -u -r1.47 -r1.48 pkgsrc/security/dropbear/Makefile
cvs rdiff -u -r1.39 -r1.40 pkgsrc/security/dropbear/distinfo

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: pkgsrc/security/dropbear/Makefile
diff -u pkgsrc/security/dropbear/Makefile:1.47 pkgsrc/security/dropbear/Makefile:1.48
--- pkgsrc/security/dropbear/Makefile:1.47      Thu May 28 12:34:50 2026
+++ pkgsrc/security/dropbear/Makefile   Tue Jul  7 08:27:23 2026
@@ -1,6 +1,6 @@
-# $NetBSD: Makefile,v 1.47 2026/05/28 12:34:50 adam Exp $
+# $NetBSD: Makefile,v 1.48 2026/07/07 08:27:23 adam Exp $
 
-DISTNAME=      dropbear-2026.91
+DISTNAME=      dropbear-2026.92
 CATEGORIES=    security
 MASTER_SITES=  https://matt.ucc.asn.au/dropbear/releases/
 EXTRACT_SUFX=  .tar.bz2

Index: pkgsrc/security/dropbear/distinfo
diff -u pkgsrc/security/dropbear/distinfo:1.39 pkgsrc/security/dropbear/distinfo:1.40
--- pkgsrc/security/dropbear/distinfo:1.39      Thu May 28 12:34:50 2026
+++ pkgsrc/security/dropbear/distinfo   Tue Jul  7 08:27:23 2026
@@ -1,8 +1,8 @@
-$NetBSD: distinfo,v 1.39 2026/05/28 12:34:50 adam Exp $
+$NetBSD: distinfo,v 1.40 2026/07/07 08:27:23 adam Exp $
 
-BLAKE2s (dropbear-2026.91.tar.bz2) = 602b7266aa179a305a51f013f2af4e19246ab32e55c9ff9f834361a8befdfa75
-SHA512 (dropbear-2026.91.tar.bz2) = f335bffb18f6e4a261732b80d6887d1b2891a96a0eb5be0cc6bd96a8803eeea337967a2a9196bec78ac3f0d2cdb31e4b64598efb7f7ad97c652d51c458ccc5df
-Size (dropbear-2026.91.tar.bz2) = 2382176 bytes
+BLAKE2s (dropbear-2026.92.tar.bz2) = 0913c6c614747cf47cb499c9a6dfd0f26bfdbb296c20d2bc83e6b01956e4aec1
+SHA512 (dropbear-2026.92.tar.bz2) = 74701cf1a47c38a8236f89bf8f06701856b958d48e64945d1e0ee9c9765fc71a06549d6a4e7d2737d00ce945265673068889550d2f1cf3782a5cf19e96819f45
+Size (dropbear-2026.92.tar.bz2) = 2383311 bytes
 SHA1 (patch-Makefile.in) = 0bb649ed8688666513c35e139e7e349fd83b3a1b
 SHA1 (patch-configure) = b17f647043b212adda53aad7fb8dc7e639be9494
 SHA1 (patch-localoptions.h) = 59ddfe3717e7fb961f597be7645557e11bd6e9fb



Home | Main Index | Thread Index | Old Index