git: 84ed9d88c736 - main - security/dropbear: update to 2025.89
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Mon, 22 Dec 2025 07:05:55 UTC
The branch main has been updated by pkubaj:
URL: https://cgit.FreeBSD.org/ports/commit/?id=84ed9d88c7369ddb17229d512891e5dd795d2671
commit 84ed9d88c7369ddb17229d512891e5dd795d2671
Author: Piotr Kubaj <pkubaj@FreeBSD.org>
AuthorDate: 2025-12-22 06:26:29 +0000
Commit: Piotr Kubaj <pkubaj@FreeBSD.org>
CommitDate: 2025-12-22 07:05:51 +0000
security/dropbear: update to 2025.89
Changelog:
- Security: Avoid privilege escalation via unix stream forwarding in Dropbear
server. Other programs on a system may authenticate unix sockets via
SO_PEERCRED, which would be root user for Dropbear forwarded connections,
allowing root privilege escalation.
Reported by Turistu, and thanks for advice on the fix.
This is tracked as CVE-2025-14282, and affects 2024.84 to 2025.88.
It is fixed by dropping privileges of the dropbear process after
authentication. Unix stream sockets are now disallowed when a
forced command is used, either with authorized_key restrictions or
"dropbear -c command".
In previous affected releases running with "dropbear -j" (will also disable
TCP fowarding) or building with localoptions.h/distrooptions.h
"#define DROPBEAR_SVR_LOCALSTREAMFWD 0" is a mitigation.
- Security: Include scp fix for CVE-2019-6111. This allowed
a malicious server to overwrite arbitrary local files.
The missing fix was reported by Ashish Kunwar.
- Server dropping privileges post-auth is enabled by default. This requires
setresgid() support, so some platforms such as netbsd or macos will have to
disable DROPBEAR_SVR_DROP_PRIVS in localoptions.h. Unix stream forwarding is
not available if DROPBEAR_SVR_DROP_PRIVS is disabled.
Remote server TCP socket forwarding will now use OS privileged port
restrictions rather than having a fixed "allow >=1024 for non-root" rule.
A future release may implement privilege dropping for netbsd/macos.
- Fix a regression in 2025.87 when RSA and DSS are not built. This would lead
to a crash at startup with bad_bufptr().
Reported by Dani Schmitt and Sebastian Priebe.
- Don't limit channel window to 500MB. That is could cause stuck connections
if peers advise a large window and don't send an increment within 500MB.
Affects SSH.NET https://github.com/sshnet/SSH.NET/issues/1671
Reported by Rob Hague.
- Ignore -g -s when passwords arent enabled. Patch from Norbert Lange.
Ignore -m (disable MOTD), -j/-k (tcp forwarding) when not enabled.
- Report SIGBUS and SIGTRAP signals. Patch from Loïc Mangeonjean.
- Fix incorrect server auth delay. Was meant to be 250-350ms, it was actually
150-350ms or possibly negative (zero). Reported by pickaxprograms.
- Fix building without public key options. Thanks to Konstantin Demin
- Fix building with proxycmd but without netcat. Thanks to Konstantin Demin
- Fix incorrect path documentation for distrooptions, thanks to Todd Zullinger
- Fix SO_REUSEADDR for TCP tests, reported by vt-alt.
---
security/dropbear/Makefile | 2 +-
security/dropbear/distinfo | 6 +++---
2 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/security/dropbear/Makefile b/security/dropbear/Makefile
index 86a98ed52493..f50c85c497e5 100644
--- a/security/dropbear/Makefile
+++ b/security/dropbear/Makefile
@@ -1,5 +1,5 @@
PORTNAME= dropbear
-PORTVERSION= 2025.88
+PORTVERSION= 2025.89
CATEGORIES= security
MASTER_SITES= https://matt.ucc.asn.au/dropbear/releases/
diff --git a/security/dropbear/distinfo b/security/dropbear/distinfo
index 8eccf5f9f7b0..1e6d4cc015c9 100644
--- a/security/dropbear/distinfo
+++ b/security/dropbear/distinfo
@@ -1,3 +1,3 @@
-TIMESTAMP = 1746647982
-SHA256 (dropbear-2025.88.tar.bz2) = 783f50ea27b17c16da89578fafdb6decfa44bb8f6590e5698a4e4d3672dc53d4
-SIZE (dropbear-2025.88.tar.bz2) = 2370480
+TIMESTAMP = 1766232681
+SHA256 (dropbear-2025.89.tar.bz2) = 0d1f7ca711cfc336dc8a85e672cab9cfd8223a02fe2da0a4a7aeb58c9e113634
+SIZE (dropbear-2025.89.tar.bz2) = 2374006