-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Tue, 16 Dec 2025 20:36:49 +0100 Source: dropbear Binary: dropbear-bin dropbear-bin-dbgsym Architecture: armel Version: 2025.89-1~deb13u1 Distribution: trixie-security Urgency: high Maintainer: arm Build Daemon (arm-ubc-03) Changed-By: Guilhem Moulin Description: dropbear-bin - lightweight SSH2 server and client - command line tools Closes: 1123069 Changes: dropbear (2025.89-1~deb13u1) trixie-security; urgency=high . * New upstream security and bugfix release (closes: #1123069). + Fix CVE-2025-14282: Privilege escalation via unix stream forwarding in Dropbear server. Other programs on a system may authenticate unix sockets via SO_PEERCRED, which would be root user for Dropbear forwarded connections, allowing root privilege escalation. + The server now drops privileges of the dropbear process after authentication. + Remote server TCP socket forwarding will now use OS privileged port restrictions rather than having a fixed "allow >=1024 for non-root" rule. + Unix stream sockets are now disallowed when a forced command is used, either with authorized_key restrictions or "dropbear -c command". * DEP-8: Add "Depends: e2fsprogs" to remote-unlocking test. Checksums-Sha1: 989fb74894f0ac1bd2d78208ea41935824da89b8 777028 dropbear-bin-dbgsym_2025.89-1~deb13u1_armel.deb 7197d83b0e1c1ffa651c184b7a8cebc4447b53c2 166352 dropbear-bin_2025.89-1~deb13u1_armel.deb ea543d9625c3233a6e024307bff9d13f1add8185 5868 dropbear_2025.89-1~deb13u1_armel-buildd.buildinfo Checksums-Sha256: c7560f6fe35d60866050f2b0cb5f09061d150b76cc1dd8ff525b0ac88e5a5ec4 777028 dropbear-bin-dbgsym_2025.89-1~deb13u1_armel.deb 5bcdb3e25f00dbe2dd336efb10bdac0b07eecbc3233318924d7469639f7e3197 166352 dropbear-bin_2025.89-1~deb13u1_armel.deb 2f92a26190d3e25dd72129f08308060ae860eafaacda478137a6b415abb774e6 5868 dropbear_2025.89-1~deb13u1_armel-buildd.buildinfo Files: 6d3f97de103148a325cc2ffa48d005bf 777028 debug optional dropbear-bin-dbgsym_2025.89-1~deb13u1_armel.deb 92b5f5b99ac88e92934b0900fd7a046b 166352 net optional dropbear-bin_2025.89-1~deb13u1_armel.deb b540e6270334caeabbc428e60d531f03 5868 net optional dropbear_2025.89-1~deb13u1_armel-buildd.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEENsdrABvTD8MQ0UffVza3l394K2AFAmlBztIACgkQVza3l394 K2DrGxAAluWDv12sO5bMeX1Lg3Y33x/nL/sEBmyxBaSUPBVNEDXpto4FcamBXJNU fkslMitfppIXwqMpInRgPiGn+5GOhIp66Y86Uxlc3T6TKXx5rCT+xKZPJLP+ki7t 2VAPpMMQXhR2Gr4QSU/c63Wh4lJVXW2bt1z8umGkzuoXVCwLh7fjaGer6HT20gMx ltdFc0mAAYAkFyt6EJyE/Zm4H0nMgPu/bsguWRj7yG0mKLv9pg2p671ZYDezyjbd SO9LXgq6pHU2iOoUeDm4mVVLzvc7FWq15utqdWCuTYvh8fMFnngJ4PgFGw092JuP SMhRXFP9rbM/pe47bhD1xIFfBckarSxeGw538LBTgH1CRqOgLcl5LxzHdYCY8+vp 10o3i30wlO0JCn6wIAS0+Hianf6YXTo9/xZqLr5hzZ8GSO5ZlTgmLf84EbcJaS8Z Yo6px/DFy01eMqrfgFr+HQApmm/8UpcbCZLrapmBZBG5JXFNYQlCjwABKU8w8LNC PNT/aYUjrmUJaO8IJmY/wp7+Lt1ZTiq/fwgGDTj/1GuB3UYbiIJc6gcA7IBYmLqZ SuXyFZsia15t+Lkmy8LVnmsO6Ftuy47vrfv5pOql2QnlXRbF1vGzKiS9Bne2RT8n 5AkvhxUW9zSkQ+s9x5aywe/PqNof2GsIb/bOoiqBPWWXkGpz4nk= =kfZN -----END PGP SIGNATURE-----