From 1d4b5836a9bdadc3f3365961137bf2a34cf74932 Mon Sep 17 00:00:00 2001 From: Piotr Kubaj Date: Wed, 7 May 2025 22:08:39 +0200 Subject: [PATCH] security/dropbear: update to 2025.88 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Changelog: - Security: Don't allow dbclient hostname arguments to be interpreted by the shell. dbclient hostname arguments with a comma (for multihop) would be passed to the shell which could result in running arbitrary shell commands locally. That could be a security issue in situations where dbclient is passed untrusted hostname arguments. Now the multihop command is executed directly, no shell is involved. Thanks to Marcin Nowak for the report, tracked as CVE-2025-47203 - Fix compatibility for htole64 and htole32, regression in 2025.87 Patch from Peter Fichtner to work with old GCC versions, and patch from Matt Robinson to check different header files. - Fix building on older compilers or libc that don't support static_assert(). Regression in 2025.87 - Support ~R in the client to force a key re-exchange. - Improve strict KEX handling. Dropbear previously would allow other packets at the end of key exchange prior to receiving the remote peer's NEWKEYS message, which should be forbidden by strict KEX. Reported by Fabian Bäumer. --- security/dropbear/Makefile | 2 +- security/dropbear/distinfo | 6 +++--- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/security/dropbear/Makefile b/security/dropbear/Makefile index 31723fac10a3..86a98ed52493 100644 --- a/security/dropbear/Makefile +++ b/security/dropbear/Makefile @@ -1,5 +1,5 @@ PORTNAME= dropbear -PORTVERSION= 2025.87 +PORTVERSION= 2025.88 CATEGORIES= security MASTER_SITES= https://matt.ucc.asn.au/dropbear/releases/ diff --git a/security/dropbear/distinfo b/security/dropbear/distinfo index bc2b2084b527..8eccf5f9f7b0 100644 --- a/security/dropbear/distinfo +++ b/security/dropbear/distinfo @@ -1,3 +1,3 @@ -TIMESTAMP = 1741554412 -SHA256 (dropbear-2025.87.tar.bz2) = 738b7f358547f0c64c3e1a56bbc5ef98d34d9ec6adf9ccdf01dc0bf2caa2bc8d -SIZE (dropbear-2025.87.tar.bz2) = 2368085 +TIMESTAMP = 1746647982 +SHA256 (dropbear-2025.88.tar.bz2) = 783f50ea27b17c16da89578fafdb6decfa44bb8f6590e5698a4e4d3672dc53d4 +SIZE (dropbear-2025.88.tar.bz2) = 2370480