dropbear (2020.81-3+deb11u2) bullseye; urgency=medium
* Fix noremotetcp behavior. Keepalive packets were being ignored when the
‛-k’ flag (or ‛no-port-forwarding’ authorized_keys(5) restriction) was
used. (Closes: #1069768)
-- Guilhem Moulin <guilhem@debian.org> Tue, 09 Jul 2024 15:51:42 +0200
dropbear (2020.81-3+deb11u1) bullseye; urgency=medium
* Fix CVE-2021-36369: Due to a non-RFC-compliant check of the available
authentication methods in the client-side SSH code, it is possible for an
SSH server to change the login process in its favor.
* Fix CVE-2023-48795 (terrapin attack): The SSH transport protocol with
certain OpenSSH extensions allows remote attackers to bypass integrity
checks such that some packets are omitted (from the extension negotiation
message), and a client and server may consequently end up with a
connection for which some security features have been downgraded or
disabled, aka a Terrapin attack. (Closes: #1059001)
* d/t/on-lvm-and-luks: Target bullseye not sid.
* d/t/on-lvm-and-luks: Bump disk image size to 4G as the previous size was
too small for bullseye-security updates (kernel etc.).
* Salsa CI: Target bullseye and disable lintian job.
-- Guilhem Moulin <guilhem@debian.org> Fri, 26 Jan 2024 12:00:26 +0100
dropbear (2020.81-3) unstable; urgency=medium
* Initramfs: Use 10 placeholders in ~root template.
* Initramfs: Explicitly pass --tmpdir flag to mktemp(1).
* Initramfs hook: Better guard against unsafe $DESTDIR.
* Postinst: Show hostkey filename in showpubkey().
* Postinst: No longer generate DSS (DSA) host keys.
-- Guilhem Moulin <guilhem@debian.org> Thu, 14 Jan 2021 21:14:26 +0100
dropbear (2020.81-2) unstable; urgency=medium
* Initramfs hook: Use ldconfig to find the path of the dlopen()'ed sonames
to copy over.
* Rename Debian branch to debian/latest for DEP-14 compliance.
* Remove compression=bzip2 from d/gbp.conf.
* Initramfs init-bottom script: Make wait_for_dropbear() 60s timeout
configurable with new option $DROPBEAR_SHUTDOWN_TIMEOUT. (Closes:
#964187)
* Update watch file format version to 4.
* Bump Standards-Version to 4.5.1 (no changes necessary).
* d/patches/local-options.patch: Mark "Forwarded: not-needed".
* d/debian/dropbear.postinst: Use dropbearconvert(1) from $PATH not from
deprecated /usr/lib/dropbear.
* dropbear-bin: Override "breakout-link usr/lib/dropbear/dropbearconvert ->
usr/bin/dropbearconvert" lintian warning. This is a compatibility symlink
since 2020.79-1.
-- Guilhem Moulin <guilhem@debian.org> Fri, 01 Jan 2021 20:41:58 +0100
dropbear (2020.81-1) unstable; urgency=medium
* New upstream bugfix release.
-- Guilhem Moulin <guilhem@debian.org> Thu, 29 Oct 2020 23:16:17 +0100
dropbear (2020.80-1) unstable; urgency=medium
* New upstream bugfix release.
* debian/patches/authorized_keys-options-parsing.patch: Remove patch, now
applied upstream.
* debian/tests/on-lvm-and-luks: Replace dpkg-architecture(1) call with
`dpkg --print-architecture`. The CI runners aren't build machines.
-- Guilhem Moulin <guilhem@debian.org> Fri, 26 Jun 2020 17:38:44 +0200
dropbear (2020.79-2) unstable; urgency=medium
* debian/tests/on-lvm-and-luks: skip test on non-amd64 hosts.
* Remove build dependency on dh-exec(1).
* debian/control: Bump debhelper compatibility level to 13.
* debian/service/run: (runit script) to drop deprecated option '-d' and add
support for ECDSA and ED25519 host keys.
-- Guilhem Moulin <guilhem@debian.org> Tue, 16 Jun 2020 16:09:57 +0200
dropbear (2020.79-1) unstable; urgency=low
[ Guilhem Moulin ]
* New upstream release. Highlights and potentially breaking changes include
+ Add ed25519 host and client keys support.
+ Add ChaCha20/Poly1305 authenticated cipher support.
+ X11 forwarding is disabled at compile time.
+ AES-CBC and 3DES ciphers are disabled at compile time.
+ Use getrandom() call for entropy collection.
* debian/README.initramfs: fix path to cryptsetup's README.Debian.gz.
(Closes: #934146)
* debian/initramfs/dropbear-hook: Don't mention cryptroot in warning
messages, only SSH login.
* debian/initramfs/bottom-dropbear: Wait for drobear to start before
bringing the network down. This avoids a race where the network stack were
fully not configured yet by the time the execution is handed over to the
main system. (Closes: #943459)
* debian/dropbear.postinst: Remove comparison with ancient version 0.50-4
(released in 2008).
* debian/control: dropbear: Add Pre-Depends: ${misc:Pre-Depends}.
* debian/control: Bump Standards-Version to 4.5.0 (no changes necessary).
* debian/control: Set 'Rules-Requires-Root: no'.
* debian/control: Remove duplicate Depends: lsb-base.
* debian/control: Bump minimum version for libtomcrypt and libtommath.
* Install dropbearconvert(1) to /usr/bin, and add a compatibility symlink
in its previous location /usr/lib/dropbear.
[Johannes 'josch' Schauer]
* Add autopkgtest to test dropbear-initramfs. (Closes: #934753)
* Enable Salsa CI tests.
[ Debian Janitor ]
* Trim trailing whitespace.
* Add missing dependency on lsb-base.
* Bump debhelper from old 9 to 12.
* Drop unnecessary dependency on dh-autoconf.
* Rely on pre-initialized dpkg-architecture variables.
* Fix day-of-week for changelog entries 0.32cvs-1, 0.32cvs-1.
* Wrap long lines in changelog entries: 2014.64-1.
-- Guilhem Moulin <guilhem@debian.org> Tue, 16 Jun 2020 02:50:00 +0200
dropbear (2019.78-2) unstable; urgency=medium
* Improve upgrade path via Recommends and NEWS entry.
* d/control:
+ Change dropbear's Recommends to 'cryptsetup-initramfs' from
'cryptsetup'. That's the package shipping cryptsetup's initramfs
integration.
+ Bump Standards-Version to 4.4.0 (no changes necessary).
-- Guilhem Moulin <guilhem@debian.org> Sat, 27 Jul 2019 18:20:59 -0300
dropbear (2019.78-1) unstable; urgency=medium
* New upstream release.
* Rename 'dropbear-run' to 'dropbear'. 'dropbear-run' is now a transitional
dummy package depending on 'dropbear'. This complete the package split
started with 2015.68-1.
* dropbear-initramfs: Remove backward compatibility checks and warnings that
were added for the upgrade path from Jessie to Stretch. (Closes: #926875)
-- Guilhem Moulin <guilhem@debian.org> Mon, 08 Jul 2019 17:06:07 +0200
dropbear (2018.76-5) unstable; urgency=medium
* Put custom options, such as SFTPSERVER_PATH, in localoptions.h not in
debian/rules. Regression since 2018.76-1, cf. upstream's CHANGES file.
(Closes: #915826.)
* debian/upstream/signing-key.asc: Minimize upstream's OpenPGP certificate.
* debian/control: Bump Standards-Version to 4.3.0 (no changes necessary).
-- Guilhem Moulin <guilhem@debian.org> Tue, 12 Feb 2019 13:06:15 +0100
dropbear (2018.76-4) unstable; urgency=medium
* Backport security fix for CVE-2018-15599: The recv_msg_userauth_request
function in svr-auth.c in Dropbear through 2018.76 is prone to a user
enumeration vulnerability because username validity affects how fields in
SSH_MSG_USERAUTH messages are handled. (Closes: #906890.)
Cherry-picked from https://secure.ucc.asn.au/hg/dropbear/rev/5d2d1021ca00 .
* debian/control: Bump Standards-Version to 4.2.0 (no changes necessary).
-- Guilhem Moulin <guilhem@debian.org> Fri, 24 Aug 2018 14:36:51 +0200
dropbear (2018.76-3) unstable; urgency=medium
* debian/initramfs/bottom-dropbear:
+ Read and parse /proc/*/stat instead of ps(1)'s output, as ps(1) options
differ between Debian and Ubunt's busybox. Thanks to 'eviljoel' for the
patch. (LP: #1652091.)
+ Normalize paths before comparison. This fixes dropbear shutdown on
initramfs images with an usrmerge layout, such as images made by
mkinitramfs(8) from initramfs-tools-core 0.132.
* debian/control: Bump Standards-Version to 4.1.5 (no changes necessary).
-- Guilhem Moulin <guilhem@debian.org> Mon, 30 Jul 2018 17:09:02 +0800
dropbear (2018.76-2) unstable; urgency=low
* debian/control:
+ Bump Standards-Version to 4.1.4 (no changes necessary).
+ Migrate Vcs-Browser and Vcs-Git from Alioth to Salsa.
-- Guilhem Moulin <guilhem@debian.org> Tue, 05 Jun 2018 18:15:34 +0200
dropbear (2018.76-1) unstable; urgency=low
* New upstream release. Configuration/compatibility changes:
+ "dropbear -r" option for hostkeys no longer attempts to load the default
hostkey paths as well. If desired these can be specified manually.
+ group1-sha1 key exchange is disabled in the server by default since the
fixed 1024-bit group may be susceptible to attacks
+ twofish ciphers are now disabled in the default configuration
+ Default generated ECDSA key size is now 256 (rather than 521)
for better interoperability
+ Minimum RSA key length has been increased to 1024 bits
See https://dropbear.nl/mirror/CHANGES for the full changelog.
* debian/control: bump Standards-Version to 4.1.3 (no changes necessary).
* debian/dropbear-bin.docs: Remove TODO file.
* debian/rules: Explicitly append "-fPIE -pie" to the LDFLAGS.
-- Guilhem Moulin <guilhem@debian.org> Mon, 05 Mar 2018 14:36:19 +0100
dropbear (2017.75-3) unstable; urgency=low
* debian/control:
+ Remove hardcoding of libtomcryptX/libtommathY in dropbear-bin's Depends.
(Closes: #879221.)
+ Bump Standards-Version to 4.1.1. Changes:
- Replace dropbear's Priority from extra to optional (inherited from
source package paragraph).
-- Guilhem Moulin <guilhem@debian.org> Sun, 22 Oct 2017 14:30:10 +0200
dropbear (2017.75-2) unstable; urgency=low
* dropbear-initramfs:
+ init-bottom script: in the init-bottom script, send a SIGTERM to all
process groups the leader of which is a child of the dropbear process,
to ensure that all children of all SSH sessions are terminated (before
dropear itself is killed).
+ postinst: don't print the reminder to check "ip=" boot parameter if it's
already found in /proc/cmdline.
+ premount script: log to standard error if the 'debug' environment
variable is set.
+ premount script: boot method (local or NFS) is in environment variable
'BOOT' not 'boot'.
+ On local mounts, don't bring down the network before dropbear was
terminated (at init-bottom stage, not at local-bottom stage). Bringing
down the network while an SSH session is still active makes clients hang
until the connection times out.
+ init-bottom script: log which network interfaces are being brought down.
+ init-bottom script: replace xargs(1) with a while loop as it's
apparently not included in Ubuntu's busybox. (LP: #1652091)
+ Compile with '--disable-bundled-libtom' to use system libtomcrypt /
libtommath. (Closes: #870035)
* debian/control: bump Standards-Version to 4.0.0 (no changes necessary).
* debian/{control,dropbear-bin.install,dropbear-bin.manpages}: apply
wrap-and-sort(1).
-- Guilhem Moulin <guilhem@debian.org> Tue, 08 Aug 2017 21:59:06 +0200
dropbear (2017.75-1) unstable; urgency=medium
* New upstream release. Remove quilt patches CVE-2017-9078 and
CVE-2017-9079, previously backported from 2017.75 to 2016.74-5.
-- Guilhem Moulin <guilhem@debian.org> Sat, 17 Jun 2017 12:36:10 +0200
dropbear (2016.74-5) unstable; urgency=high
* Backport security fixes from 2017.75 (closes: #862970):
- CVE-2017-9078: Fix double-free in server TCP listener cleanup
A double-free in the server could be triggered by an authenticated user
if dropbear is running with -a (Allow connections to forwarded ports
from any host) This could potentially allow arbitrary code execution as
root by an authenticated user.
- CVE-2017-9079: Fix information disclosure with ~/.ssh/authorized_keys
symlink.
Dropbear parsed authorized_keys as root, even if it were a symlink. The
fix is to switch to user permissions when opening authorized_keys
A user could symlink their ~/.ssh/authorized_keys to a root-owned file
they couldn't normally read. If they managed to get that file to contain
valid authorized_keys with command= options it might be possible to read
other contents of that file.
This information disclosure is to an already authenticated user.
-- Guilhem Moulin <guilhem@debian.org> Fri, 19 May 2017 23:41:21 +0200
dropbear (2016.74-4) unstable; urgency=medium
* Also trigger maintainer scripts when upgrading from dropbear
2014.65-1+deb8u1, by changing the upper bound from 2014.65-1 to
2015.68-1~. (Closes: #862544)
-- Guilhem Moulin <guilhem@guilhem.org> Sun, 14 May 2017 16:56:40 +0200
dropbear (2016.74-3) unstable; urgency=high
* debian/copyright: add missing paragraphs to match upstream's LICENSE file.
(Closes: #860406.)
-- Guilhem Moulin <guilhem@guilhem.org> Sun, 16 Apr 2017 12:22:56 +0200
dropbear (2016.74-2) unstable; urgency=low
* Tolerate lack of boot script config file /etc/dropbear-initramfs/config.
This can happen when dropbear-initramfs is upgraded (from <2016.73-1)
along with the kernel, and the kernel is configured before
dropbear-initramfs, cf. #841503.
* debian/control: Add Depends: lsb-base (>= 3.0-6) for dropbear-run.
* debian/README.Debian, debian/copyright: upgrade the homepage URI to
https://.
-- Guilhem Moulin <guilhem@guilhem.org> Tue, 13 Dec 2016 23:44:50 +0100
dropbear (2016.74-1) unstable; urgency=medium
[ Matt Johnston ]
* New upstream release.
[ Guilhem Moulin ]
* debian/control:
+ Bump Standards-Version to 3.9.8 (no changes necessary).
* Fix initramfs hostkey path in changelog and NEWS file. Patch from Lukáš
Krejza. (Closes: #830826.)
-- Guilhem Moulin <guilhem@guilhem.org> Fri, 29 Jul 2016 10:29:42 +0200
dropbear (2016.73-1) unstable; urgency=low
[ Matt Johnston ]
* New upstream release.
[ Guilhem Moulin ]
* dropbear-initramfs, dropbear-run:
+ In the postinst script, only generate host keys when all three key types
(DSS, RSA, ECDSA) are missing. For instance if an RSA host key is
present, a missing DSS host key will not be automatically generated.
+ Change architecture from 'any' to 'all' and remove --link-doc. This
enables dropbear-initramfs to have its own NEWS file.
* dropbear-run:
+ Use dh_installdirs to create /etc/dropbear.
* dropbear-initramfs:
+ Take host keys (resp. authorized_keys) from /etc/dropbear-initramfs
instead of /etc/initramfs-tools/etc/dropbear (resp.
/etc/initramfs-tools/root/.ssh).
These files are automatically moved on upgrade.
This is done following the initramfs-tools maintainers' request (see
#807527) that hook and boot script configuration files be stored outside
the /etc/initramfs-tools directory.
+ Move hook script initramfs configuration from
/etc/initramfs-tools/conf-hooks.d/dropbear to
/usr/share/initramfs-tools/conf-hooks.d/dropbear. As a consequence, the
file is no longer recognized as a user configuration file; it is only
used to set a restrictive umask (to avoid disclosing the host keys) and
to force the use of busybox.
+ Use /etc/dropbear-initramfs/config as initramfs boot script
configuration. For backward compatibility setting dropbear options in
/etc/initramfs-tools/initramfs.conf is still supported for now (but
sourcing this file causes the hook to print a warning).
(Closes: #819320.)
-- Guilhem Moulin <guilhem@guilhem.org> Wed, 13 Apr 2016 19:00:06 +0200
dropbear (2016.72-1) unstable; urgency=high
[ Matt Johnston ]
* New upstream release, fixing a xauth command injection vulnerability. See
also http://www.openwall.com/lists/oss-security/2016/03/10/8
[ Guilhem Moulin ]
* debian/control:
+ Bump Standards-Version to 3.9.7 (no changes necessary).
+ Change Vcs-Git URI from git:// to https://.
-- Guilhem Moulin <guilhem@guilhem.org> Thu, 10 Mar 2016 22:14:47 +0100
dropbear (2015.71-1) unstable; urgency=low
[ Matt Johnston ]
* New upstream release.
[ Guilhem Moulin ]
* dropbear-initramfs:
+ init-premount script: on local mounts, fork before
'configure_networking', so a user with access to the keyboard doesn't
need to wait for ipconfig to terminate to enter the passphrase.
(Closes: #806884.) It doesn't affect our fix to #584780 since
'configure_networking' and 'dropbear' run sequentially in the same
process.
-- Guilhem Moulin <guilhem@guilhem.org> Fri, 18 Dec 2015 13:10:57 +0100
dropbear (2015.70-1) unstable; urgency=low
[ Matt Johnston ]
* New upstream release.
[ Guilhem Moulin ]
* dropbear-initramfs:
+ Take dropbear options from the DROPBEAR_OPTIONS environment variable,
for consistency with DROPBEAR_IFDOWN. For backward compatibility the
value of $PKGOPTION_dropbear_OPTION is used when DROPBEAR_OPTIONS is
unset.
+ Take ownership of cryptsetup's /usr/share/doc/cryptsetup/README.remote
and ship it as /usr/share/doc/dropbear-initramfs/README.initramfs .
* debian/patches:
+ 0001-dbclient.1-dbclient-uses-compression-if-compiled-with.diff: Remove
patch applied upstream.
+ 0002-dropbearkey.8-mention-y-option-add-example.diff: Remove patch
applied upstream.
-- Guilhem Moulin <guilhem@guilhem.org> Thu, 26 Nov 2015 17:06:59 +0100
dropbear (2015.68-1) unstable; urgency=low
* New co-maintainer.
[ Matt Johnston ]
* New upstream release. (Closes: #631858, #775222.)
[ Guilhem Moulin ]
* debian/source/format: 3.0 (quilt)
* debian/compat: 9
* debian/control:
+ Bump Standards-Version to 3.9.6 (no changes necessary).
+ Add Homepage, Vcs-Git, and Vcs-Browser fields.
* debian/copyright: add machine-readable file.
* Split up package in dropbear-bin (binaries), dropbear-run (init scripts)
and dropbear-initramfs (initramfs integration). 'dropbear' is now a
transitional dummy package depending on on dropbear-run and
dropbear-initramfs. (Closes: #692932.)
* Refactor the package using dh_* tools, including dh_autoreconf. (Closes:
#689618, #777324, #793006, #793917.)
* Add 'Multi-Arch: foreign' tags.
* dropbear-run:
+ Add a status option to the /etc/init.d script.
+ Pass key files with -r not -d in /etc/init.d script. (Closes: #761143.)
+ Post-installation script: Generate missing ECDSA in addition to RSA and
DSS host keys. (Closes: #776976.)
* dropbear-initramfs:
+ No longer mark /usr/share/initramfs-tools/conf-hooks.d/dropbear as a
configuration file, since it violates the Debian Policy Manual section
10.7.2. (Regression from 2014.64-1.) Instead, move the file to
/etc/initramfs-tools/conf-hooks.d/dropbear and add a symlink in
/usr/share/initramfs-tools/conf-hooks.d.
+ Delete debian/initramfs/premount-devpts, since /dev/pts in mounted by
init since initramfs-tools 0.94. (Closes: #632656, #797939.)
+ Auto-generate host keys in the postinstall script, not when runing
update-initramfs. Pass the '-R' option (via $PKGOPTION_dropbear_OPTION)
for the old behavior. Also, print fingerprint and ASCII art for
generated keys (if ssh-keygen is available).
+ Revert ad2fb1c and remove warning about changing host key. Users
shouldn't be encouraged to use the same keys in the encrypted partition
and in the initramfs. The proper fix is to use an alternative port or
UserKnownHostFile.
+ Set ~root to `mktemp -d "$DESTDIR/root-XXXXXX"` to avoid collisions with
$rootmnt. (Closes: #558115.)
+ Exit gracefully if $IP is 'none' or 'off'. (Closes: #692932.)
+ Start dropbear with flag -s to explicitly disable password logins.
+ Terminate all children before killing dropbear, to avoid stalled SSH
connections. (Closes: #735203.)
+ Run configure_networking in the foreground. (Closes: #584780, #626181,
#739519.)
+ Bring down interfaces and flush IP routes and addresses before exiting
the ramdisk, to avoid dirty network configuration in the regular kernel.
(Closes: #715048, #720987, #720988.) The interfaces considered are
those matching the $DROPBEAR_IFDOWN shell pattern (default: '*'); the
special value 'none' keeps all interfaces up and preserves routing
tables and addresses.
-- Guilhem Moulin <guilhem@guilhem.org> Sat, 03 Oct 2015 20:47:33 +0200
dropbear (2014.65-1) unstable; urgency=low
[ Matt Johnston ]
* New upstream release (closes: #757780).
[ Gerrit Pape ]
* debian/diff/0003-options.h-use-usr-bin-xauth-instead-of...diff:
remove; applied upstream.
* debian/control: Standards-Version: 3.9.5.0.
-- Gerrit Pape <pape@smarden.org> Mon, 11 Aug 2014 20:50:11 +0000
dropbear (2014.64-1) unstable; urgency=low
[ Matt Johnston ]
* New upstream release (closes: #748826, #756561)..
[ Gerrit Pape ]
* debian/diff/: update.
* debian/initramfs/premount-devpts: apply patch from
https://launchpadlibrarian.net/107177971/dropbear_lp933903_precise_1.debdiff:
duplicate mount /dev/pts in initramfs (thx Mario 'BitKoenig' Holbe, Guy
Roussin, closes: #632656).
* debian/dropbear.postinst: apply patch from Karl O. Pinc: dropbear's
cryptroot setup does not use the system's host keys (closes:
#714899).
* debian/initramfs/dropbear-hook: apply patch from Karl O. Pinc:
There is no warning when the cryptroot host key differs from the
regular host key (closes: #714900).
* debian/dropbear.postrm: apply patch from Karl O. Pinc: dropbear does
not remove initramfs host keys on package purge (closes: #714945).
* debian/initramfs/premount-dropbear: apply half of patch from
Robert.Heinzmann: allow option specification for dropbear in
/etc/initramfs-tools/initramfs.conf (closes: #614981).
* debian/dropbear.conffiles: add
/usr/share/initramfs-tools/conf-hooks.d/dropbear (thx Karl O. Pinc,
closes: #715047).
* debian/rules: apply patch from Matthias Klose: please allow the
package to cross build (closes: #729845).
-- Gerrit Pape <pape@smarden.org> Fri, 01 Aug 2014 12:44:51 +0000
dropbear (2013.60-1) unstable; urgency=low
[ Matt Johnston ]
* New upstream release.
[ Gerrit Pape ]
* debian/diff/0004-cve-2013-4421.diff, 0005-user-disclosure.diff:
remove; fixed upstream.
* debian/dropbear.postinst: don't fail if initramfs-tools it not
installed (closes: #692653).
-- Gerrit Pape <pape@smarden.org> Fri, 25 Oct 2013 15:00:48 +0000
dropbear (2012.55-1.4) unstable; urgency=high
* Non-maintainer upload by the Security Team.
* Fix cve-2013-4421: memory exhaustion issue (closes: #726019).
* Fix timing delays that may reveal whether a user account is valid
(closes: #726118).
-- Michael Gilbert <mgilbert@debian.org> Wed, 16 Oct 2013 03:29:42 +0000
dropbear (2012.55-1.3) unstable; urgency=medium
* Non-maintainer upload.
* Fix initramfs hook when multiple variant of libc are installed.
All credits due to Helmut Grohne for the report and the solution.
(Closes: #682964)
-- Jérémy Bobbio <lunar@debian.org> Thu, 08 Nov 2012 10:45:01 +0100
dropbear (2012.55-1.2) unstable; urgency=low
* Non-maintainer upload.
* Unbreak initramfs hook when upgrading from Squeeze.
-- Jérémy Bobbio <lunar@debian.org> Tue, 25 Sep 2012 16:53:18 +0200
dropbear (2012.55-1.1) unstable; urgency=low
* Non-maintainer upload.
* Adjust initramfs hook to work with multi-arch. Initial patch by
Michael Stapelberg. (Closes: #630581)
-- Jérémy Bobbio <lunar@debian.org> Tue, 25 Sep 2012 09:17:06 +0200
dropbear (2012.55-1) unstable; urgency=high
* New upstream release.
* Fix use-after-free bug that could be triggered if command="..."
authorized_keys restrictions are used. Could allow arbitrary
code execution or bypass of the command="..." restriction to an
authenticated user. This bug affects releases 0.52 onwards.
Ref CVE-2012-0920 (closes: #661150). Thanks to Danny Fullerton
of Mantor Organization for reporting the bug.
-- Gerrit Pape <pape@smarden.org> Mon, 27 Feb 2012 14:18:53 +0000
dropbear (2011.54-1) unstable; urgency=low
[ Matt Johnston ]
* new upstream release.
* Added ALLOW_BLANK_PASSWORD option. Dropbear also now allows public
key logins to accounts with a blank password. Thanks to Rob
Landley (closes: #555889).
* Bind to sockets with IPV6_V6ONLY so that it works properly on
systems regardless of the system-wide setting (closes: #636696).
[ Gerrit Pape ]
* debian/control: Standards-Version: 3.9.2.0.
-- Gerrit Pape <pape@smarden.org> Wed, 16 Nov 2011 12:36:03 +0000
dropbear (0.53.1-1) unstable; urgency=low
[ Matt Johnston ]
* New upstream release.
* SSH_ORIGINAL_COMMAND environment variable is set by the server
when an authorized_keys command is specified (closes: #604524).
[ Gerrit Pape ]
* debian/rules: add --enable-bundled-libtom option to ./configure.
* debian/rules: remove -DXAUTH_COMMAND="/usr/bin/X11/xauth -q from
CFLAGS (workaround ./configure stupidity; closes: #625192).
* debian/diff/0003-options.h-use-usr-bin-xauth-instead-of...diff: new;
use /usr/bin/xauth instead of /usr/bin/X11/xauth for XAUTH_COMMAND
(closes: #614355).
-- Gerrit Pape <pape@smarden.org> Mon, 02 May 2011 16:35:14 +0000
dropbear (0.52-5) unstable; urgency=low
[ debian@x.ray.net ]
* debian/dropbear.postinst: initramfs-tools uses a conf-hooks.d/
directory for mkinitramfs ('compiletime') configuration, so to be
sure to read the whole/correct config we need to source the files
in there too, additionally to initramfs.conf (closes: #575504).
* debian/initramfs/dropbear-conf: set UMASK=0077 (closes: #578117).
[ Gerrit Pape ]
* debian/control: Standards-Version: 3.8.4.0.
-- Gerrit Pape <pape@smarden.org> Sun, 18 Apr 2010 23:04:36 +0000
dropbear (0.52-4) unstable; urgency=low
* debian/initramfs/dropbear-hook: allow more than one public key in
initramfs (thx Chris for the patch; closes: #548309).
-- Gerrit Pape <pape@smarden.org> Tue, 06 Oct 2009 01:51:42 +0000
dropbear (0.52-3) unstable; urgency=low
* debian/rules: configure: add XAUTH_COMMAND="/usr/bin/X11/xauth -q"
to CFLAGS (thx Axel Beckert, Colin Watson; closes: #532900).
* debian/dropbear.init: Improve abort messages due to
/etc/default/dropbear::NO_START (thx Jari Aalto for the patch;
closes: #541432).
* debian/control: Provides: ssh-server (thx Steffen Moeller; closes:
#543174)
* debian/control: Suggests: xauth (thx Francis Russell; closes:
#508233).
-- Gerrit Pape <pape@smarden.org> Thu, 24 Sep 2009 14:37:17 +0000
dropbear (0.52-2) unstable; urgency=medium
* debian/initramfs/premount-dropbear: run configure_networking in the
background (thx debian@x.ray.net, closes: #514213, #524728).
* debian/control: Standards-Version: 3.8.2.0.
-- Gerrit Pape <pape@smarden.org> Sun, 28 Jun 2009 23:22:39 +0000
dropbear (0.52-1) unstable; urgency=low
[ Matt Johnston ]
* New upstream release.
* dbclient.1: mention optional 'command' argument (closes: #495823).
[ Gerrit Pape ]
* debian/diff/0001-dbclient.1-dbclient-uses-compression-if...diff:
new; dbclient.1: dbclient uses compression if compiled with zlib
support (thx Luca Capello, closes: #495825).
* debian/initramfs/*: new; cryptroot remote unlocking on boot feature
(thx debian@x.ray.net).
* debian/rules: install debian/initramfs/* (thx debian@x.ray.net).
* debian/control: Suggests: udev (for cryptroot support, thx
debian@x.ray.net).
* debian/dropbear.postinst: conditionally run update-initramfs -u
(for cryptroot support, thx debian@x.ray.net. closes: #465903).
* debian/diff/0002-dropbearkey.8-mention-y-option-add-example.diff:
new; mention -y option, add example (thx debian@x.ray.net).
-- Gerrit Pape <pape@smarden.org> Wed, 19 Nov 2008 20:58:59 +0000
dropbear (0.51-1) unstable; urgency=low
[ Matt Johnston ]
* New upstream release.
- Wait until a process exits before the server closes a connection,
so that an exit code can be sent. This fixes problems with exit
codes not being returned, which could cause scp to fail (closes:
#448397, #472483).
[ Gerrit Pape ]
* debian/dropbear.postinst: don't print an error message if the
update-service program is not installed (thx Matt).
-- Gerrit Pape <pape@smarden.org> Thu, 27 Mar 2008 20:08:06 +0000
dropbear (0.50-4) unstable; urgency=low
* debian/dropbear.init: apply patch from Petter Reinholdtsen: add LSB
formatted dependency info in init.d script (closes: #466257).
* debian/rules: no longer include symlinks for ./supervise/ subdirectories.
* debian/dropbear.postinst: upgrade from << 0.50-4: if dropbear is managed
by runit, remove service, and re-add using update-service(8).
* debian/control: Standards-Version: 3.7.3.0.
* debian/rules: target clean: don't ignore errors but check for readable
./Makefile.
-- Gerrit Pape <pape@smarden.org> Thu, 06 Mar 2008 19:06:58 +0000
dropbear (0.50-3) unstable; urgency=low
* debian/dropbear.init: use the update-service(8) program from the runit
package instead of directly checking for the symlink in /var/service/.
* debian/README.runit: talk about update-service(8) instead of symlinks
in /var/service/.
-- Gerrit Pape <pape@smarden.org> Fri, 15 Feb 2008 00:32:37 +0000
dropbear (0.50-2) unstable; urgency=low
* debian/dropbear.README.Debian: no longer talk about entropy from
/dev/random, /dev/urandom is now used by default (thx Joey Hess,
closes: #441515).
-- Gerrit Pape <pape@smarden.org> Mon, 24 Sep 2007 16:49:17 +0000
dropbear (0.50-1) unstable; urgency=low
* debian/README.runit: minor.
* new upstream version.
* debian/diff/0001-options.h-use-dev-urandom-instead-of-dev-random-a.diff:
remove; fixed upstream.
-- Gerrit Pape <pape@smarden.org> Thu, 09 Aug 2007 23:01:01 +0000
dropbear (0.49-2) unstable; urgency=low
* debian/rules: apply diffs from debian/diff/ with patch -p1 instead of
-p0.
* debian/diff/0001-options.h-use-dev-urandom-instead-of-dev-random-a.diff:
new; options.h: use /dev/urandom instead of /dev/random as
DROPBEAR_RANDOM_DEV (closes: #386976).
* debian/rules: target clean: remove libtomcrypt/Makefile,
libtommath/Makefile.
-- Gerrit Pape <pape@smarden.org> Sat, 09 Jun 2007 08:59:59 +0000
dropbear (0.49-1) unstable; urgency=high
* new upstream release, fixes
* CVE-2007-1099: dropbear dbclient insufficient warning on hostkey
mismatch (closes: #412899).
* dbclient uses static "Password:" prompt instead of using the server's
prompt (closes: #394996).
* debian/control: Suggests: openssh-client, not ssh (closes: #405686);
Standards-Version: 3.7.2.2.
* debian/README.Debian: ssh -> openssh-server, openssh-client; remove
'Replacing OpenSSH "sshd" with Dropbear' part, this is simply done by not
installing the openssh-server package.
* debian/README.runit: runsvstat -> sv status.
-- Gerrit Pape <pape@smarden.org> Fri, 2 Mar 2007 20:48:18 +0000
dropbear (0.48.1-1) unstable; urgency=medium
* new upstream point release.
* Compile fix for scp
* debian/diff/dbclient.1.diff: new: document -R option to dbclient
accurately (thx Markus Schaber; closes: #351882).
* debian/dropbear.README.Debian: document a workaround for systems with
possibly blocking /dev/random device (closes: #355414)..
-- Gerrit Pape <pape@smarden.org> Sun, 16 Apr 2006 16:16:40 +0000
dropbear (0.48-1) unstable; urgency=medium
* New upstream release.
* SECURITY: Improve handling of denial of service attempts from a single
IP.
* debian/implicit: update to revision 1.11.
* new upstream release updates to scp from OpenSSH 4.3p2 - fixes a
security issue where use of system() could cause users to execute
arbitrary code through malformed filenames; CVE-2006-0225 (see also
#349645); the scp binary is not provided by this package though.
-- Gerrit Pape <pape@smarden.org> Fri, 10 Mar 2006 22:00:32 +0000
dropbear (0.47-1) unstable; urgency=high
* New upstream release.
* SECURITY: Fix incorrect buffer sizing; CVE-2005-4178.
-- Matt Johnston <matt@ucc.asn.au> Thu, 8 Dec 2005 19:20:21 +0800
dropbear (0.46-2) unstable; urgency=low
* debian/control: Standards-Version: 3.6.2.1; update descriptions to
mention included server and client (thx Tino Keitel).
* debian/dropbear.init: allow '/etc/init.d/dropbear stop' even though
'NO_START is not set to zero.' (closes: #336723).
-- Gerrit Pape <pape@smarden.org> Tue, 6 Dec 2005 13:30:49 +0000
dropbear (0.46-1) unstable; urgency=medium
* New upstream release, various fixes.
* debian/diff/dbclient-usage-typo.diff, debian/diff/manpages.diff: remove;
obsolete.
* debian/dbclient.1: move to ./dbclient.1.
-- Matt Johnston <matt@ucc.asn.au> Fri, 8 July 2005 21:32:55 +0800
dropbear (0.45-3) unstable; urgency=low
* debian/dropbear.init: init script prints human readable message in case
it's disabled (closes: #309099).
* debian/dropbear.postinst: configure: restart service through init script
instead of start.
* debian/dropbear.prerm: set -u -> set -e.
-- Gerrit Pape <pape@smarden.org> Wed, 25 May 2005 22:38:17 +0000
dropbear (0.45-2) unstable; urgency=low
* Matt Johnston:
* New upstream release, various fixes.
-- Gerrit Pape <pape@smarden.org> Sat, 12 Mar 2005 15:17:55 +0000
dropbear (0.44-1) unstable; urgency=low
* New upstream release.
* debian/rules: install /usr/bin/dbclient; handle possible patches more
gracefully; install debian/dbclient.1 man page; enable target patch;
minor.
* debian/implicit: update to revision 1.10.
* debian/dbclient.1: new; man page.
* debian/diff/dbclient-usage-typo.diff: new; fix typo.
* debian/diff/manpages.diff: new; add references to dbclient man page.
-- Gerrit Pape <pape@smarden.org> Sat, 8 Jan 2005 22:50:43 +0000
dropbear (0.43-2) unstable; urgency=high
* Matt Johnston:
* New upstream release 0.43
* SECURITY: Don't attempt to free uninitialised buffers in DSS verification
code
* Handle portforwarding to servers which don't send any initial data
(Closes: #258426)
* debian/dropbear.postinst: remove code causing bothersome warning on
package install (closes: #256752).
* debian/README.Debian.diet: new; how to build with the diet libc.
* debian/dropbear.docs: add debian/README.Debian.diet.
* debian/rules: support "diet" in DEB_BUILD_OPTIONS; minor cleanup.
-- Gerrit Pape <pape@smarden.org> Sat, 17 Jul 2004 19:31:19 +0000
dropbear (0.42-1) unstable; urgency=low
* New upstream release 0.42.
* debian/diff/cvs-20040520.diff: remove; obsolete.
* debian/rules: disable target patch.
-- Matt Johnston <matt@ucc.asn.au> Wed, 16 June 2004 12:44:54 +0800
dropbear (0.41-3) unstable; urgency=low
* 1st upload to the Debian archive (closes: #216553).
* debian/diff/cvs-20040520.diff: new; stable cvs snapshot.
* debian/rules: new target patch: apply diffs in debian/diff/, reverse
apply in target clean; install man pages.
* debian/control: Priority: optional.
-- Gerrit Pape <pape@smarden.org> Sun, 23 May 2004 08:32:37 +0000
dropbear (0.41-2) unstable; urgency=low
* new maintainer.
* debian/control: no longer Build-Depends: debhelper; Build-Depends:
libz-dev; Standards-Version: 3.6.1.0; Suggests: runit; update
descriptions.
* debian/rules: stop using debhelper, use implicit rules; cleanup;
install dropbearconvert into /usr/lib/dropbear/.
* debian/impicit: new; implicit rules.
* debian/copyright.in: adapt.
* debian/dropbear.init: minor adaptions; test for dropbear service
directory.
* debian/README.runit: new; how to use dropbear with runit.
* debian/README.Debian, debian/docs: rename to debian/dropbear.*.
* debian/dropbear.docs: add debian/README.runit
* debian/conffiles: rename to debian/dropbear.conffiles; add init
script, and run scripts.
* debian/postinst: rename to debian/dropbear.postinst; adapt; use
invloke-rc.d dropbear start.
* debian/dropbear.prerm: new; invoke-rc.d dropbear stop.
* debian/postrm: rename to debian/dropbear.postrm; adapt; clean up
service directories.
* debian/compat, debian/dirs, dropbear.default: remove; obsolete.
-- Gerrit Pape <pape@smarden.org> Sun, 16 May 2004 16:50:55 +0000
dropbear (0.41-1) unstable; urgency=low
* Updated to 0.41 release.
* Various minor fixes
-- Matt Johnston <matt@ucc.asn.au> Mon, 19 Jan 2004 23:20:54 +0800
dropbear (0.39-1) unstable; urgency=low
* updated to 0.39 release. Some new features, some bugfixes.
-- Matt Johnston <matt@ucc.asn.au> Tue, 16 Dec 2003 16:20:54 +0800
dropbear (0.38-1) unstable; urgency=medium
* updated to 0.38 release - various important bugfixes
-- Matt Johnston <matt@ucc.asn.au> Sat, 11 Oct 2003 16:28:54 +0800
dropbear (0.37-1) unstable; urgency=medium
* updated to 0.37 release - various important bugfixes
-- Matt Johnston <matt@ucc.asn.au> Wed, 24 Sept 2003 19:43:54 +0800
dropbear (0.36-1) unstable; urgency=high
* updated to 0.36 release - various important bugfixes
-- Matt Johnston <matt@ucc.asn.au> Tues, 19 Aug 2003 12:20:54 +0800
dropbear (0.35-1) unstable; urgency=high
* updated to 0.35 release - contains fix for remotely exploitable
vulnerability.
-- Matt Johnston <matt@ucc.asn.au> Sun, 17 Aug 2003 05:37:47 +0800
dropbear (0.34-1) unstable; urgency=medium
* updated to 0.34 release
-- Matt Johnston <matt@ucc.asn.au> Fri, 15 Aug 2003 15:10:00 +0800
dropbear (0.33-1) unstable; urgency=medium
* updated to 0.33 release
-- Matt Johnston <matt@ucc.asn.au> Sun, 22 Jun 2003 22:22:00 +0800
dropbear (0.32cvs-1) unstable; urgency=medium
* now maintained in UCC CVS
* debian/copyright.in file added, generated from LICENSE
-- Grahame Bowland <grahame@angrygoats.net> Sat, 21 Jun 2003 17:57:02 +0800
dropbear (0.32cvs-1) unstable; urgency=medium
* sync with CVS
* fixes X crash bug
-- Grahame Bowland <grahame@angrygoats.net> Fri, 20 Jun 2003 15:04:47 +0800
dropbear (0.32-2) unstable; urgency=low
* fix creation of host keys to use correct names in /etc/dropbear
* init script "restart" function fixed
* purging this package now deletes the host keys and /etc/dropbear
* change priority in debian/control to 'standard'
-- Grahame Bowland <grahame@angrygoats.net> Tue, 17 Jun 2003 15:04:47 +0800
dropbear (0.32-1) unstable; urgency=low
* Initial Release.
-- Grahame Bowland <grahame@angrygoats.net> Tue, 17 Jun 2003 15:04:47 +0800