Dropbear SSH Release 2026.90 with Vulnerability Fixes

Release 2026.90 of the Dropbear project, which develops an SSH server and client popular in wireless routers and compact distributions like OpenWrt, has been published. Dropbear features low memory consumption, the ability to disable unnecessary functionality at build time, and support for building both the client and server in a single executable, similar to busybox. When statically linked with uClibc, the Dropbear executable is only 110 KB in size. Dropbear supports X11 forwarding, is compatible with the OpenSSH key file (~/.ssh/authorized_keys), and can create multi-connections with forwarding through a transit host. The project's code is written in C and distributed under an MIT-like license.

The new version fixes several security issues:

  • Incomplete fix for a vulnerability in scp (CVE-2019-6111) that allows overwriting other files when connecting to a malicious program serverWhen using scp server decides which files and directories to send to the client, and the client only checks the returned object names for correctness. This client-side check prevents overflows of the current directory ("../"), but in the case of recursive copying (-r), it ignores cases of transferring directories with names different from the originally requested ones. This issue is resolved by disabling the use of the "-r" option with an existing target directory.
  • A vulnerability (CVE-2026-35385) in the scp utility caused setuid/setgid flags to not be cleared after uploading a file with root privileges with the "-O" option and without the "-p" option.
  • Ability to bypass the execution of the "forced_command" command in the authorized_keys settings when connecting as an authenticated user using the "-t" option (login with password and public key verification).
  • Denial of service via a local user creating a special file named authorized_keys that blocks read operations.
  • Reading data from an out-of-bounds area when creating client and server request redirection handlers may result in arbitrary file descriptors being closed.

Non-security related changes:

  • The "-R" option has been added to ssh for forwarding Unix sockets through an SSH tunnel.
  • The "-M" option has been added to ssd to limit the maximum session duration.
  • Added "permitlisten" option to "authorized_keys" to restrict allowed ports.
  • Support for RSA keys created with dropbearkey 0.32 or earlier versions of this utility has been discontinued. These keys are susceptible to a side-channel attack that measures the difference in processing time between cached and uncacheable data.
  • To prevent public key guessing on hosts, the number of public key requests is limited to 15 attempts per session.

Source: opennet.ru

Buy reliable hosting for sites with DDoS protection, VPS VDS servers πŸ”₯ Buy reliable website hosting with DDoS protection, VPS VDS servers | ProHoster