From: ftpmaster@ftp-master.debian.org
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Tue, 16 Dec 2025 20:36:49 +0100
Source: dropbear
Architecture: source
Version: 2025.89-1~deb13u1
Distribution: trixie-security
Urgency: high
Maintainer: Guilhem Moulin
Changed-By: Guilhem Moulin
Closes: 1123069
Changes:
dropbear (2025.89-1~deb13u1) trixie-security; urgency=high
.
* New upstream security and bugfix release (closes: #1123069).
+ Fix CVE-2025-14282: Privilege escalation via unix stream forwarding in
Dropbear server. Other programs on a system may authenticate unix
sockets via SO_PEERCRED, which would be root user for Dropbear forwarded
connections, allowing root privilege escalation.
+ The server now drops privileges of the dropbear process after
authentication.
+ Remote server TCP socket forwarding will now use OS privileged port
restrictions rather than having a fixed "allow >=1024 for non-root"
rule.
+ Unix stream sockets are now disallowed when a forced command is used,
either with authorized_key restrictions or "dropbear -c command".
* DEP-8: Add "Depends: e2fsprogs" to remote-unlocking test.
Checksums-Sha1:
cfb8ea4ab2f193387ca6a6c7850ea1b1d7189a23 2599 dropbear_2025.89-1~deb13u1.dsc
65a32c5de0041e65cf9ab6cc894a64e07ed31e47 2374006 dropbear_2025.89.orig.tar.bz2
759ece8f1c87edd16a9fc1531d7df74d46dd1ca2 833 dropbear_2025.89.orig.tar.bz2.asc
0a4fb5884dd26dc7c63f8983d6f47d5e490b911a 35256 dropbear_2025.89
1~deb13u1.debian.tar.xz
1c415e9205ab52a867974bb0aaf3e947bed0c389 5942 dropbear_2025.89-
~deb13u1_source.buildinfo
Checksums-Sha256:
4894db0aeed8ab9b25fbea47aa7ef35b055c4473a3512b975b87886db02091f6 2599
dropbear_2025.89-1~deb13u1.dsc
0d1f7ca711cfc336dc8a85e672cab9cfd8223a02fe2da0a4a7aeb58c9e113634 2374006
dropbear_2025.89.orig.tar.bz2
ef0ff9a8fe8e0b6c66892c9415f0d6e8e5676aac5a024ebcc43c2271d1c8f0d6 833
dropbear_2025.89.orig.tar.bz2.asc
6cd9872fa30e82db1c754101b4413a9b343f4e1bb4069d139a03305ab3f882c2 35256
dropbear_2025.89-1~deb13u1.debian.tar.xz
cadbc678b117558d2895c2099c6a7247051b09c8dbb64fcd2636209759b939a2 5942
dropbear_2025.89-1~deb13u1_source.buildinfo
Files:
1463c3d0e34e8e38a3f90fa6afeed115 2599 net optional dropbear_202
.89-1~deb13u1.dsc
2816ff711130f030daee12cbb10fd5ec 2374006 net optional dropbear_
025.89.orig.tar.bz2
1f0c0a79e8f024412072306eb221970e 833 net optional dropbear_2025
89.orig.tar.bz2.asc
555a4c81eac428b8ff0cd49f4eebd351 35256 net optional dropbear_20
5.89-1~deb13u1.debian.tar.xz
dd99c4416631223936ff3fe9d47209c7 5942 net optional dropbear_202
.89-1~deb13u1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEERpy6p3b9sfzUdbME05pJnDwhpVIFAmlBte0ACgkQ05pJnDwh
pVLyDQ//d2S5z/7pQjvSiKaIOaikzT6lxp1C5QZZ7rv7KW2Ccpx9VVjKbHdq96EE
y19COgITwo+b75h8ZoHWxQf6PQsyGg6c3+aCMnZ/D0S3IknC0pHNRTL64H5EFhGR
kVL6v6z2lT/Y6yr4lFPOy3MjB7Hf/WsxbWB1ACrLNyYN+nkjQCiJ42/4BQc7NReP
AO9c+bNsqhQMt8UErbuCgyO6nt54c+GVoMxhmi1GSSj2s7erwVhp1ecI5xL8NnCi
3Hw2dFxteRTC3uuVZ2FkL6QCT7POmpXP9dAiL9NV6VC4jIf9TuFa6kgSVL7fjmS3
Nlv37odVdFv/3cf2vcwAwNhZP7Ya7EToSiBLPNbgGHX+CZflK321P6C6gJM+ZoN7
EoOIQtToYXJHsGWGVrlkWY6zPb+or+FD4s9njdF/dh0t7K+yq709DFOnKlGdIkc2
+y7UGJn1VZDV+ibV0RWnx5iC5xx25Ldsb4+7gGp/UoeANP0cX+koAC4ob/jiWrPl
E/NITaRkJ0tiOk4CZ4DAf4/8OPAnx0qczIkshhA1IPjjyD74j5WFhrpFETcKmnXo
cXlcK+3ngSAxQw16/3OAID0JZpxF5VfMN2JmKxskAaL57TILUz7qcxTLEHjUOQ4y
pwYlakef1SVUR0wntkrhQrh0rxkMSBQfMev8VW/BDYHCSINoPzs=
=YKV3
-----END PGP SIGNATURE-----
--==============x59072252263455989=Content-Type: application/pgp-signature
-----BEGIN PGP SIGNATURE-----
iHUEABYIAB0WIQTziqJOuF8J+ZI8pJSb9qggYcy5IQUCaUaJSwAKCRCb9qggYcy5
IebeAP9+qm3CYZ/V19bvpH09uc2STEU7jStThAEAcJNF9jV2+gD/fwOwv5glNw+q
Vn80VLcrD1h0GIm9FIYYN8VfRPBDRw0=GvRS
-----END PGP SIGNATURE-----
--- SoupGate-Win32 v1.05
* Origin: you cannot sedate... all the things you hate (1:229/2)
|
