Skip to content

Dropbear 2022.83
Compare
Choose a tag to compare
@mkj mkj released this 14 Nov 14:05
· 185 commits to master since this release
DROPBEAR_2022.83
a4689e2

Download tarballs from
https://matt.ucc.asn.au/dropbear/releases/dropbear-2022.83.tar.bz2 or
https://mirror.dropbear.nl/mirror/dropbear-2022.83.tar.bz2

Features and Changes:

Note >> for compatibility/configuration changes

  • >> Disable DROPBEAR_DSS by default
    It is only 1024 bit and uses sha1, most distros disable it by default already.

  • Added DROPBEAR_RSA_SHA1 option to allow disabling sha1 rsa signatures.
    >> RSA with sha1 will be disabled in a future release (rsa keys will continue
    to work OK, with sha256 signatures used instead).

  • Add option for requiring both password and pubkey (-t)
    Patch from Jackkal

  • Add 'no-touch-required' and 'verify-required' options for sk keys
    Patch from Egor Duda

  • >> DROPBEAR_SK_KEYS config option now replaces separate DROPBEAR_SK_ECDSA
    and DROPBEAR_SK_ED25519 options.

  • Add 'permitopen' option for authorized_keys to restrict forwarded ports
    Patch from Tuomas Haikarainen

  • >> Added LTM_CFLAGS configure argument to set flags for building
    bundled libtommath. This also restores the previous arguments used
    in 2020.81 (-O3 -funroll-loops). That gives a big speedup for RSA
    key generation, which regressed in 2022.82.
    There is a tradeoff with code size, so -Os can be used if required.
    #174
    Reported by David Bernard

  • Add '-z' flag to disable setting QoS traffic class. This may be necessary
    to work with broken networks or network drivers, exposed after changes to use
    AF21 in 2022.82
    #193
    Reported by yuhongwei380, patch from Petr Štetiar

  • Allow overriding user shells with COMPAT_USER_SHELLS
    Based on a patch from Matt Robinson

  • Improve permission error message
    Patch from k-kurematsu

  • >> Remove HMAC_MD5 entirely

Regression fixes from 2022.82:

  • Fix X11 build

  • Fix build warning

  • Fix compilation when disabling pubkey authentication
    Patch from MaxMougg

  • Fix MAX_UNAUTH_CLIENTS regression
    Reported by ptpt52

  • Avoid using slower prime testing in bundled libtomcrypt when DSS is disabled
    #174
    Suggested by Steffen Jaeckel

  • Fix Dropbear plugin support
    #194
    Reported by Struan Bartlett

Other fixes:

  • Fix long standing incorrect compression size check. Dropbear
    (client or server) would erroneously exit with
    "bad packet, oversized decompressed"
    when receiving a compressed packet of exactly the maximum size.

  • Fix missing setsid() removed in 2020.79
    #180
    Reported and debugged by m5jt and David Bernard

  • Try keyboard-interactive auth before password, in dbclient.
    This was unintentionally changed back in 2013
    #190
    Patch from Michele Giacomoli

  • Drain the terminal when reading the fingerprint confirmation response
    #191
    Patch from Michele Giacomoli

  • Fix utx wtmp variable typo. This has been wrong for a long time but
    only recently became a problem when wtmp was detected.
    #189
    Patch from Michele Giacomoli

  • Improve configure test for hardening options.
    Fixes building on AIX
    #158

  • Fix debian/dropbear.init newline
    From wulei-student

Infrastructure:

  • Test off-by-default compile options

  • Set -Wundef to catch typos in #if statements

Assets 2
Loading