Change log for dropbear package in Ubuntu
| 1 → 74 of 74 results | First • Previous • Next • Last |
dropbear (2024.85-1) unstable; urgency=medium * New upstream bugfix release. * Update Standards-Version to 4.7.0 (no changes necessary). -- Guilhem Moulin <email address hidden> Fri, 26 Apr 2024 12:04:25 +0200
| Published in oracular-release |
| Published in noble-release |
| Deleted in noble-proposed (Reason: Moved to noble) |
dropbear (2022.83-4) unstable; urgency=medium
* Fix CVE-2023-48795: (terrapin attack): The SSH transport protocol with
certain OpenSSH extensions allows remote attackers to bypass integrity
checks such that some packets are omitted (from the extension negotiation
message), and a client and server may consequently end up with a
connection for which some security features have been downgraded or
disabled, aka a Terrapin attack. (Closes: #1059001)
-- Guilhem Moulin <email address hidden> Thu, 25 Jan 2024 02:08:38 +0100
Available diffs
- diff from 2022.83-3 to 2022.83-4 (3.0 KiB)
dropbear (2022.83-3) unstable; urgency=medium
* d/control: Drop dropbear-run binary package. (Closes: #1038256)
* initramfs hook: Reuse ~root if set up in $DESTDIR. (Closes: #1056274)
* Refresh d/patches.
* Cherry-pick upstream commit to remove more files in distclean.
(Closes: #1044936)
-- Guilhem Moulin <email address hidden> Tue, 21 Nov 2023 12:24:46 +0100
Available diffs
- diff from 2022.83-2 to 2022.83-3 (2.2 KiB)
| Superseded in noble-release |
| Published in mantic-release |
| Deleted in mantic-proposed (Reason: Moved to mantic) |
dropbear (2022.83-2) unstable; urgency=medium
* d/.gitattribute: New file for proper merging of d/chagelog.
* Update standards version to 4.6.2, no changes needed.
* d/u/metadata: Replace hg.ucc.asn.au repo with GitHub.
https://hg.ucc.asn.au/dropbear has not been updated since 2022.82 and the
homepage doesn't advertize it anymore.
* d/control: dropbear: Replace ‘Depends: lsb-base (>= 3.0-6)’ with
‘sysvinit-utils (>= 3.05-4~) | lsb-base (>= 3.0-6)’.
-- Guilhem Moulin <email address hidden> Sat, 10 Jun 2023 22:56:47 +0200
Available diffs
- diff from 2022.83-1 to 2022.83-2 (930 bytes)
| Superseded in mantic-release |
| Published in lunar-release |
| Deleted in lunar-proposed (Reason: Moved to lunar) |
dropbear (2022.83-1) unstable; urgency=medium
* New upstream release 2022.83. Support for ssh-dss (DSA) host and user
keys is disabled by default at compile-time. Such keys are considered
insecure as they are only 1024 bits long and use the SHA-1 digest
algorithm. Note that OpenSSH disables support for such keys at run-time
since 7.0/7.0p1.
* Reflect ssh-dss deprecation in maintscripts and NEWS file.
* d/t/remote-unlocking: Use 2 vCPUs.
-- Guilhem Moulin <email address hidden> Mon, 14 Nov 2022 22:16:35 +0100
Available diffs
- diff from 2022.82-4 to 2022.83-1 (74.1 KiB)
- diff from 2022.82-4.1 to 2022.83-1 (74.1 KiB)
| Superseded in lunar-proposed |
dropbear (2022.82-4.1) unstable; urgency=medium * Non-maintainer upload. * No source change upload to rebuild with debhelper 13.10. -- Michael Biebl <email address hidden> Sat, 15 Oct 2022 12:01:59 +0200
| Superseded in lunar-release |
| Obsolete in kinetic-release |
| Deleted in kinetic-proposed (Reason: Moved to kinetic) |
dropbear (2022.82-4) unstable; urgency=medium
[ Guilhem Moulin ]
* d/rules: Inspect DEB_BUILD_* with $(filter ,) not $(findstring ,).
* Salsa CI: Remove default configuration file.
* Update standards version to 4.6.1, no changes needed.
* d/t/remote-unlocking: Mask systemd-firstboot.service to fix debci with
systemd 251.5-1.
* d/copyright: typofix.
* Refresh lintian overrides to accommodate lintian v2.115.
[ Steve Langasek ]
* DEP-8: Call mkdir with -p to fix autopkgtest on Ubuntu. (Closes: #1017876)
-- Guilhem Moulin <email address hidden> Wed, 05 Oct 2022 20:20:13 +0200
Available diffs
dropbear (2022.82-3ubuntu1) kinetic; urgency=medium * Fix autopkgtest to not fail if ~/.ssh already exists. -- Steve Langasek <email address hidden> Sun, 21 Aug 2022 23:05:45 +0000
Available diffs
dropbear (2022.82-3) unstable; urgency=low
* d/t/upstream-tests: Set DBTEST_IN_ACTION=true so we don't skip
test_svrauth.py.
* d/t/upstream-tests: Guard against direct use.
* d/dropbear.preinst: Also migrate *unmodified* /etc/default/dropbear from
Jessie, Stretch, and Buster to conffile. Existing files were never
touched by postinst, so it makes sense to migrate known stock versions
older than Bullseye.
* d/t/remote-unlocking: Don't look for swap in the validation phase as doing
so is racy.
* d/patches: Fix FTBFS on hurd-i386.
* Add d/u/metadata.
* d/dropbear.postrm: Minor quoting improvements
* d/t/control: Improve comment in remote-unlocking test.
-- Guilhem Moulin <email address hidden> Mon, 04 Apr 2022 23:32:24 +0200
| Superseded in kinetic-release |
| Published in jammy-release |
| Deleted in jammy-proposed (Reason: Moved to jammy) |
dropbear (2020.81-5) unstable; urgency=medium
* d/t/remote-unlocking: Replace QEMU's deprecated short-form boolean options.
* d/t/remote-unlocking: Set cache=unsafe on the target drive.
* d/t/remote-unlocking: Use apt-get indextargets's Repo-URI not its URI.
* d/t/remote-unlocking: Ensure we're the current version of the package is
available.
* d/t/remote-unlocking: Replace linux-image-amd64 with linux-image-generic.
* d/t/remote-unlocking: Set 'size=256' in crypttab(5).
* d/t/remote-unlocking: Fix APT Repo-URI scheme.
* d/rules: Replace manual call to dh_link with a new d/dropbear.links file.
* d/copyright: Set field Upstream-Name.
* Refresh lintian overrides to accommodate lintian v2.114.
-- Guilhem Moulin <email address hidden> Wed, 08 Dec 2021 12:37:31 +0100
Available diffs
- diff from 2020.81-4 to 2020.81-5 (3.3 KiB)
dropbear (2020.81-4) unstable; urgency=low
* d/control: Remove <pape> from Uploaders. Thanks to gerrit for their work
on the dropbear package! (Closes: #907082)
* d/control: dropbear: Demote 'dropbear-initramfs' to Suggests.
(Closes: #962132)
* d/control: Bump Standards-Version to 4.6.0 (no changes necessary).
* initramfs boot script: Don't exit when IP={none,off}. (Closes: #958526)
* Rename /etc/dropbear-initramfs to /etc/dropbear/initramfs, and
/etc/dropbear-initramfs/config to /etc/dropbear/initramfs/dropbear.conf.
* d/t/on-lvm-and-luks: Near-complete rewrite:
- Adjust partition sizes to account for the current needs of the distro.
- Set 'Architecture: amd64' to properly skip the test on other
architectures.
- Run mmdebstrap(1) with --mode=auto instead of --mode=root. This uses
--mode=unshare when kernel.unprivileged_userns_clone is set to 1,
otherwise --mode=fakeroot (#944929 is now fixed)
- Consolidate style.
- Ensure we're testing the current dropbear-initramfs version.
- Use KVM acceleration when possible. Also, try to create /dev/kvm if
missing (for instance in a chroot where /dev is not managed by udev).
- Raise timeout values so the test has a chance to complete when KVM is
not supported/used.
- Adjust copyright.
- Replace 'Depends: libguestfs-tools, sleepenh, time' with 'Depends:
cryptsetup-initramfs, fdisk, initramfs-tools-core, lvm2'. Instead of
using guestfish(1) to set up a first system which is in turn used to set
up the target system, we build a custom initramfs image containing the
required dependencies, boot into it and entirely set up the target
system from there.
- Unconditionally dump (in real time) the guest's serial console into the
standard output. Before it was only done upon error.
- Use a random key file instead of a hardcoded/pre-chosen passphrase.
- Restrict the guest's ability to reach external hosts.
- Assign static addresses under 10.0.2.128/25 instead of using DHCP. That
way we don't have to include 'isc-dhcp-client' in the debootstrap chroot.
- Use dropbear instead of OpenSSH in the main system as well, not just in
the initramfs. After all we're testing dropbear here :-)
- Instead of having the root and swap (resume) devices each in its own LV
held by a LUKS device, we put the root FS directly on the root device,
and add a new plain dm-crypt partition for a transient swap device.
This removes 'Depends: lvm2'. Consequently, the test is renamed to
'remote-unlocking'.
-- Guilhem Moulin <email address hidden> Thu, 19 Aug 2021 13:08:39 +0200
Available diffs
- diff from 2020.81-3 to 2020.81-4 (16.1 KiB)
| Superseded in jammy-release |
| Obsolete in impish-release |
| Obsolete in hirsute-release |
| Deleted in hirsute-proposed (Reason: moved to Release) |
dropbear (2020.81-3) unstable; urgency=medium * Initramfs: Use 10 placeholders in ~root template. * Initramfs: Explicitly pass --tmpdir flag to mktemp(1). * Initramfs hook: Better guard against unsafe $DESTDIR. * Postinst: Show hostkey filename in showpubkey(). * Postinst: No longer generate DSS (DSA) host keys. -- Guilhem Moulin <email address hidden> Thu, 14 Jan 2021 21:14:26 +0100
Available diffs
- diff from 2020.81-2 to 2020.81-3 (2.0 KiB)
dropbear (2020.81-2) unstable; urgency=medium
* Initramfs hook: Use ldconfig to find the path of the dlopen()'ed sonames
to copy over.
* Rename Debian branch to debian/latest for DEP-14 compliance.
* Remove compression=bzip2 from d/gbp.conf.
* Initramfs init-bottom script: Make wait_for_dropbear() 60s timeout
configurable with new option $DROPBEAR_SHUTDOWN_TIMEOUT. (Closes:
#964187)
* Update watch file format version to 4.
* Bump Standards-Version to 4.5.1 (no changes necessary).
* d/patches/local-options.patch: Mark "Forwarded: not-needed".
* d/debian/dropbear.postinst: Use dropbearconvert(1) from $PATH not from
deprecated /usr/lib/dropbear.
* dropbear-bin: Override "breakout-link usr/lib/dropbear/dropbearconvert ->
usr/bin/dropbearconvert" lintian warning. This is a compatibility symlink
since 2020.79-1.
-- Guilhem Moulin <email address hidden> Fri, 01 Jan 2021 20:41:58 +0100
Available diffs
- diff from 2020.81-1 to 2020.81-2 (2.7 KiB)
dropbear (2020.81-1) unstable; urgency=medium * New upstream bugfix release. -- Guilhem Moulin <email address hidden> Thu, 29 Oct 2020 23:16:17 +0100
Available diffs
- diff from 2020.80-1 to 2020.81-1 (23.9 KiB)
| Superseded in hirsute-release |
| Obsolete in groovy-release |
| Deleted in groovy-proposed (Reason: moved to Release) |
dropbear (2020.80-1) unstable; urgency=medium
* New upstream bugfix release.
* debian/patches/authorized_keys-options-parsing.patch: Remove patch, now
applied upstream.
* debian/tests/on-lvm-and-luks: Replace dpkg-architecture(1) call with
`dpkg --print-architecture`. The CI runners aren't build machines.
-- Guilhem Moulin <email address hidden> Fri, 26 Jun 2020 17:38:44 +0200
Available diffs
- diff from 2020.79-2 to 2020.80-1 (14.6 KiB)
dropbear (2020.79-2) unstable; urgency=medium
* debian/tests/on-lvm-and-luks: skip test on non-amd64 hosts.
* Remove build dependency on dh-exec(1).
* debian/control: Bump debhelper compatibility level to 13.
* debian/service/run: (runit script) to drop deprecated option '-d' and add
support for ECDSA and ED25519 host keys.
-- Guilhem Moulin <email address hidden> Tue, 16 Jun 2020 16:09:57 +0200
Available diffs
- diff from 2020.79-1 to 2020.79-2 (4.9 KiB)
dropbear (2020.79-1) unstable; urgency=low
[ Guilhem Moulin ]
* New upstream release. Highlights and potentially breaking changes include
+ Add ed25519 host and client keys support.
+ Add ChaCha20/Poly1305 authenticated cipher support.
+ X11 forwarding is disabled at compile time.
+ AES-CBC and 3DES ciphers are disabled at compile time.
+ Use getrandom() call for entropy collection.
* debian/README.initramfs: fix path to cryptsetup's README.Debian.gz.
(Closes: #934146)
* debian/initramfs/dropbear-hook: Don't mention cryptroot in warning
messages, only SSH login.
* debian/initramfs/bottom-dropbear: Wait for drobear to start before
bringing the network down. This avoids a race where the network stack were
fully not configured yet by the time the execution is handed over to the
main system. (Closes: #943459)
* debian/dropbear.postinst: Remove comparison with ancient version 0.50-4
(released in 2008).
* debian/control: dropbear: Add Pre-Depends: ${misc:Pre-Depends}.
* debian/control: Bump Standards-Version to 4.5.0 (no changes necessary).
* debian/control: Set 'Rules-Requires-Root: no'.
* debian/control: Remove duplicate Depends: lsb-base.
* debian/control: Bump minimum version for libtomcrypt and libtommath.
* Install dropbearconvert(1) to /usr/bin, and add a compatibility symlink
in its previous location /usr/lib/dropbear.
[Johannes 'josch' Schauer]
* Add autopkgtest to test dropbear-initramfs. (Closes: #934753)
* Enable Salsa CI tests.
[ Debian Janitor ]
* Trim trailing whitespace.
* Add missing dependency on lsb-base.
* Bump debhelper from old 9 to 12.
* Drop unnecessary dependency on dh-autoconf.
* Rely on pre-initialized dpkg-architecture variables.
* Fix day-of-week for changelog entries 0.32cvs-1, 0.32cvs-1.
* Wrap long lines in changelog entries: 2014.64-1.
-- Guilhem Moulin <email address hidden> Tue, 16 Jun 2020 02:50:00 +0200
Available diffs
| Superseded in groovy-release |
| Published in focal-release |
| Obsolete in eoan-release |
| Deleted in eoan-proposed (Reason: moved to release) |
dropbear (2019.78-2build1) eoan; urgency=medium * No-change upload with strops.h and sys/strops.h removed in glibc. -- Matthias Klose <email address hidden> Thu, 05 Sep 2019 10:47:46 +0000
Available diffs
dropbear (2019.78-2) unstable; urgency=medium
* Improve upgrade path via Recommends and NEWS entry.
* d/control:
+ Change dropbear's Recommends to 'cryptsetup-initramfs' from
'cryptsetup'. That's the package shipping cryptsetup's initramfs
integration.
+ Bump Standards-Version to 4.4.0 (no changes necessary).
-- Guilhem Moulin <email address hidden> Sat, 27 Jul 2019 18:20:59 -0300
Available diffs
- diff from 2019.78-1 to 2019.78-2 (1.0 KiB)
dropbear (2019.78-1) unstable; urgency=medium
* New upstream release.
* Rename 'dropbear-run' to 'dropbear'. 'dropbear-run' is now a transitional
dummy package depending on 'dropbear'. This complete the package split
started with 2015.68-1.
* dropbear-initramfs: Remove backward compatibility checks and warnings that
were added for the upgrade path from Jessie to Stretch. (Closes: #926875)
-- Guilhem Moulin <email address hidden> Mon, 08 Jul 2019 17:06:07 +0200
Available diffs
- diff from 2018.76-5 to 2019.78-1 (78.8 KiB)
| Superseded in eoan-release |
| Obsolete in disco-release |
| Deleted in disco-proposed (Reason: moved to release) |
dropbear (2018.76-5) unstable; urgency=medium
* Put custom options, such as SFTPSERVER_PATH, in localoptions.h not in
debian/rules. Regression since 2018.76-1, cf. upstream's CHANGES file.
(Closes: #915826.)
* debian/upstream/signing-key.asc: Minimize upstream's OpenPGP certificate.
* debian/control: Bump Standards-Version to 4.3.0 (no changes necessary).
-- Guilhem Moulin <email address hidden> Tue, 12 Feb 2019 13:06:15 +0100
Available diffs
- diff from 2018.76-4 to 2018.76-5 (2.3 KiB)
| Superseded in disco-release |
| Obsolete in cosmic-release |
| Deleted in cosmic-proposed (Reason: moved to release) |
dropbear (2018.76-4) unstable; urgency=medium
* Backport security fix for CVE-2018-15599: The recv_msg_userauth_request
function in svr-auth.c in Dropbear through 2018.76 is prone to a user
enumeration vulnerability because username validity affects how fields in
SSH_MSG_USERAUTH messages are handled. (Closes: #906890.)
Cherry-picked from https://secure.ucc.asn.au/hg/dropbear/rev/5d2d1021ca00 .
* debian/control: Bump Standards-Version to 4.2.0 (no changes necessary).
-- Guilhem Moulin <email address hidden> Fri, 24 Aug 2018 14:36:51 +0200
Available diffs
- diff from 2018.76-3 to 2018.76-4 (3.1 KiB)
dropbear (2018.76-3) unstable; urgency=medium
* debian/initramfs/bottom-dropbear:
+ Read and parse /proc/*/stat instead of ps(1)'s output, as ps(1) options
differ between Debian and Ubunt's busybox. Thanks to 'eviljoel' for the
patch. (LP: #1652091.)
+ Normalize paths before comparison. This fixes dropbear shutdown on
initramfs images with an usrmerge layout, such as images made by
mkinitramfs(8) from initramfs-tools-core 0.132.
* debian/control: Bump Standards-Version to 4.1.5 (no changes necessary).
-- Guilhem Moulin <email address hidden> Mon, 30 Jul 2018 17:09:02 +0800
Available diffs
- diff from 2018.76-2 to 2018.76-3 (1.2 KiB)
dropbear (2018.76-2) unstable; urgency=low
* debian/control:
+ Bump Standards-Version to 4.1.4 (no changes necessary).
+ Migrate Vcs-Browser and Vcs-Git from Alioth to Salsa.
-- Guilhem Moulin <email address hidden> Tue, 05 Jun 2018 18:15:34 +0200
Available diffs
- diff from 2018.76-1 to 2018.76-2 (564 bytes)
dropbear (2018.76-1) unstable; urgency=low
* New upstream release. Configuration/compatibility changes:
+ "dropbear -r" option for hostkeys no longer attempts to load the default
hostkey paths as well. If desired these can be specified manually.
+ group1-sha1 key exchange is disabled in the server by default since the
fixed 1024-bit group may be susceptible to attacks
+ twofish ciphers are now disabled in the default configuration
+ Default generated ECDSA key size is now 256 (rather than 521)
for better interoperability
+ Minimum RSA key length has been increased to 1024 bits
See https://dropbear.nl/mirror/CHANGES for the full changelog.
* debian/control: bump Standards-Version to 4.1.3 (no changes necessary).
* debian/dropbear-bin.docs: Remove TODO file.
* debian/rules: Explicitly append "-fPIE -pie" to the LDFLAGS.
-- Guilhem Moulin <email address hidden> Mon, 05 Mar 2018 14:36:19 +0100
Available diffs
| Superseded in cosmic-release |
| Published in bionic-release |
| Deleted in bionic-proposed (Reason: moved to release) |
dropbear (2017.75-3build1) bionic; urgency=medium * Rebuild against libtomcrypt1. -- Colin Watson <email address hidden> Tue, 21 Nov 2017 21:48:39 +0000
Available diffs
- diff from 2017.75-2 (in Debian) to 2017.75-3build1 (840 bytes)
- diff from 2017.75-3 (in Debian) to 2017.75-3build1 (306 bytes)
dropbear (2017.75-3) unstable; urgency=low
* debian/control:
+ Remove hardcoding of libtomcryptX/libtommathY in dropbear-bin's Depends.
(Closes: #879221.)
+ Bump Standards-Version to 4.1.1. Changes:
- Replace dropbear's Priority from extra to optional (inherited from
source package paragraph).
-- Guilhem Moulin <email address hidden> Sun, 22 Oct 2017 14:30:10 +0200
| Superseded in bionic-release |
| Obsolete in artful-release |
| Deleted in artful-proposed (Reason: moved to release) |
dropbear (2017.75-2) unstable; urgency=low
* dropbear-initramfs:
+ init-bottom script: in the init-bottom script, send a SIGTERM to all
process groups the leader of which is a child of the dropbear process,
to ensure that all children of all SSH sessions are terminated (before
dropear itself is killed).
+ postinst: don't print the reminder to check "ip=" boot parameter if it's
already found in /proc/cmdline.
+ premount script: log to standard error if the 'debug' environment
variable is set.
+ premount script: boot method (local or NFS) is in environment variable
'BOOT' not 'boot'.
+ On local mounts, don't bring down the network before dropbear was
terminated (at init-bottom stage, not at local-bottom stage). Bringing
down the network while an SSH session is still active makes clients hang
until the connection times out.
+ init-bottom script: log which network interfaces are being brought down.
+ init-bottom script: replace xargs(1) with a while loop as it's
apparently not included in Ubuntu's busybox. (LP: #1652091)
+ Compile with '--disable-bundled-libtom' to use system libtomcrypt /
libtommath. (Closes: #870035)
* debian/control: bump Standards-Version to 4.0.0 (no changes necessary).
* debian/{control,dropbear-bin.install,dropbear-bin.manpages}: apply
wrap-and-sort(1).
-- Guilhem Moulin <email address hidden> Tue, 08 Aug 2017 21:59:06 +0200
Available diffs
- diff from 2017.75-1 to 2017.75-2 (4.2 KiB)
dropbear (2017.75-1) unstable; urgency=medium
* New upstream release. Remove quilt patches CVE-2017-9078 and
CVE-2017-9079, previously backported from 2017.75 to 2016.74-5.
-- Guilhem Moulin <email address hidden> Sat, 17 Jun 2017 12:36:10 +0200
Available diffs
- diff from 2016.74-5 to 2017.75-1 (11.8 KiB)
dropbear (2016.74-5) unstable; urgency=high
* Backport security fixes from 2017.75 (closes: #862970):
- CVE-2017-9078: Fix double-free in server TCP listener cleanup
A double-free in the server could be triggered by an authenticated user
if dropbear is running with -a (Allow connections to forwarded ports
from any host) This could potentially allow arbitrary code execution as
root by an authenticated user.
- CVE-2017-9079: Fix information disclosure with ~/.ssh/authorized_keys
symlink.
Dropbear parsed authorized_keys as root, even if it were a symlink. The
fix is to switch to user permissions when opening authorized_keys
A user could symlink their ~/.ssh/authorized_keys to a root-owned file
they couldn't normally read. If they managed to get that file to contain
valid authorized_keys with command= options it might be possible to read
other contents of that file.
This information disclosure is to an already authenticated user.
-- Guilhem Moulin <email address hidden> Fri, 19 May 2017 23:41:21 +0200
Available diffs
- diff from 2016.74-4 to 2016.74-5 (1.9 KiB)
dropbear (2016.74-4) unstable; urgency=medium
* Also trigger maintainer scripts when upgrading from dropbear
2014.65-1+deb8u1, by changing the upper bound from 2014.65-1 to
2015.68-1~. (Closes: #862544)
-- Guilhem Moulin <email address hidden> Sun, 14 May 2017 16:56:40 +0200
Available diffs
- diff from 2016.74-3 to 2016.74-4 (798 bytes)
dropbear (2016.74-3) unstable; urgency=high
* debian/copyright: add missing paragraphs to match upstream's LICENSE file.
(Closes: #860406.)
-- Guilhem Moulin <email address hidden> Sun, 16 Apr 2017 12:22:56 +0200
Available diffs
- diff from 2016.74-2 to 2016.74-3 (2.1 KiB)
| Superseded in artful-release |
| Obsolete in zesty-release |
| Deleted in zesty-proposed (Reason: moved to release) |
dropbear (2016.74-2) unstable; urgency=low
* Tolerate lack of boot script config file /etc/dropbear-initramfs/config.
This can happen when dropbear-initramfs is upgraded (from <2016.73-1)
along with the kernel, and the kernel is configured before
dropbear-initramfs, cf. #841503.
* debian/control: Add Depends: lsb-base (>= 3.0-6) for dropbear-run.
* debian/README.Debian, debian/copyright: upgrade the homepage URI to
https://.
-- Guilhem Moulin <email address hidden> Tue, 13 Dec 2016 23:44:50 +0100
Available diffs
- diff from 2016.74-1 to 2016.74-2 (1.3 KiB)
| Superseded in zesty-release |
| Obsolete in yakkety-release |
| Deleted in yakkety-proposed (Reason: moved to release) |
dropbear (2016.74-1) unstable; urgency=medium
[ Matt Johnston ]
* New upstream release.
[ Guilhem Moulin ]
* debian/control:
+ Bump Standards-Version to 3.9.8 (no changes necessary).
* Fix initramfs hostkey path in changelog and NEWS file. Patch from Lukáš
Krejza. (Closes: #830826.)
-- Guilhem Moulin <email address hidden> Fri, 29 Jul 2016 10:29:42 +0200
Available diffs
- diff from 2016.73-1 to 2016.74-1 (15.5 KiB)
dropbear (2016.73-1) unstable; urgency=low
[ Matt Johnston ]
* New upstream release.
[ Guilhem Moulin ]
* dropbear-initramfs, dropbear-run:
+ In the postinst script, only generate host keys when all three key types
(DSS, RSA, ECDSA) are missing. For instance if an RSA host key is
present, a missing DSS host key will not be automatically generated.
+ Change architecture from 'any' to 'all' and remove --link-doc. This
enables dropbear-initramfs to have its own NEWS file.
* dropbear-run:
+ Use dh_installdirs to create /etc/dropbear.
* dropbear-initramfs:
+ Take host keys (resp. authorized_keys) from /etc/initramfs-tools instead
of /etc/initramfs-tools/etc/dropbear (resp.
/etc/initramfs-tools/root/.ssh).
These files are automatically moved on upgrade.
This is done following the initramfs-tools maintainers' request (see
#807527) that hook and boot script configuration files be stored outside
the /etc/initramfs-tools directory.
+ Move hook script initramfs configuration from
/etc/initramfs-tools/conf-hooks.d/dropbear to
/usr/share/initramfs-tools/conf-hooks.d/dropbear. As a consequence, the
file is no longer recognized as a user configuration file; it is only
used to set a restrictive umask (to avoid disclosing the host keys) and
to force the use of busybox.
+ Use /etc/dropbear-initramfs/config as initramfs boot script
configuration. For backward compatibility setting dropbear options in
/etc/initramfs-tools/initramfs.conf is still supported for now (but
sourcing this file causes the hook to print a warning).
(Closes: #819320.)
-- Guilhem Moulin <email address hidden> Wed, 13 Apr 2016 19:00:06 +0200
Available diffs
- diff from 2016.72-1 to 2016.73-1 (31.3 KiB)
| Superseded in yakkety-release |
| Published in xenial-release |
| Deleted in xenial-proposed (Reason: moved to release) |
dropbear (2016.72-1) unstable; urgency=high
[ Matt Johnston ]
* New upstream release, fixing a xauth command injection vulnerability. See
also http://www.openwall.com/lists/oss-security/2016/03/10/8
[ Guilhem Moulin ]
* debian/control:
+ Bump Standards-Version to 3.9.7 (no changes necessary).
+ Change Vcs-Git URI from git:// to https://.
-- Guilhem Moulin <email address hidden> Thu, 10 Mar 2016 22:14:47 +0100
Available diffs
- diff from 2015.71-1 to 2016.72-1 (1.9 KiB)
dropbear (2015.71-1) unstable; urgency=low
[ Matt Johnston ]
* New upstream release.
[ Guilhem Moulin ]
* dropbear-initramfs:
+ init-premount script: on local mounts, fork before
'configure_networking', so a user with access to the keyboard doesn't
need to wait for ipconfig to terminate to enter the passphrase.
(Closes: #806884.) It doesn't affect our fix to #584780 since
'configure_networking' and 'dropbear' run sequentially in the same
process.
-- Guilhem Moulin <email address hidden> Fri, 18 Dec 2015 13:10:57 +0100
Available diffs
- diff from 2015.70-1 to 2015.71-1 (3.3 KiB)
dropbear (2015.70-1) unstable; urgency=low
[ Matt Johnston ]
* New upstream release.
[ Guilhem Moulin ]
* dropbear-initramfs:
+ Take dropbear options from the DROPBEAR_OPTIONS environment variable,
for consistency with DROPBEAR_IFDOWN. For backward compatibility the
value of $PKGOPTION_dropbear_OPTION is used when DROPBEAR_OPTIONS is
unset.
+ Take ownership of cryptsetup's /usr/share/doc/cryptsetup/README.remote
and ship it as /usr/share/doc/dropbear-initramfs/README.initramfs .
* debian/patches:
+ 0001-dbclient.1-dbclient-uses-compression-if-compiled-with.diff: Remove
patch applied upstream.
+ 0002-dropbearkey.8-mention-y-option-add-example.diff: Remove patch
applied upstream.
-- Guilhem Moulin <email address hidden> Thu, 26 Nov 2015 17:06:59 +0100
Available diffs
- diff from 2015.68-1 to 2015.70-1 (15.1 KiB)
dropbear (2015.68-1) unstable; urgency=low
* New co-maintainer.
[ Matt Johnston ]
* New upstream release. (Closes: #631858, #775222.)
[ Guilhem Moulin ]
* debian/source/format: 3.0 (quilt)
* debian/compat: 9
* debian/control:
+ Bump Standards-Version to 3.9.6 (no changes necessary).
+ Add Homepage, Vcs-Git, and Vcs-Browser fields.
* debian/copyright: add machine-readable file.
* Split up package in dropbear-bin (binaries), dropbear-run (init scripts)
and dropbear-initramfs (initramfs integration). 'dropbear' is now a
transitional dummy package depending on on dropbear-run and
dropbear-initramfs. (Closes: #692932.)
* Refactor the package using dh_* tools, including dh_autoreconf. (Closes:
#689618, #777324, #793006, #793917.)
* Add 'Multi-Arch: foreign' tags.
* dropbear-run:
+ Add a status option to the /etc/init.d script.
+ Pass key files with -r not -d in /etc/init.d script. (Closes: #761143.)
+ Post-installation script: Generate missing ECDSA in addition to RSA and
DSS host keys. (Closes: #776976.)
* dropbear-initramfs:
+ No longer mark /usr/share/initramfs-tools/conf-hooks.d/dropbear as a
configuration file, since it violates the Debian Policy Manual section
10.7.2. (Regression from 2014.64-1.) Instead, move the file to
/etc/initramfs-tools/conf-hooks.d/dropbear and add a symlink in
/usr/share/initramfs-tools/conf-hooks.d.
+ Delete debian/initramfs/premount-devpts, since /dev/pts in mounted by
init since initramfs-tools 0.94. (Closes: #632656, #797939.)
+ Auto-generate host keys in the postinstall script, not when runing
update-initramfs. Pass the '-R' option (via $PKGOPTION_dropbear_OPTION)
for the old behavior. Also, print fingerprint and ASCII art for
generated keys (if ssh-keygen is available).
+ Revert ad2fb1c and remove warning about changing host key. Users
shouldn't be encouraged to use the same keys in the encrypted partition
and in the initramfs. The proper fix is to use an alternative port or
UserKnownHostFile.
+ Set ~root to `mktemp -d "$DESTDIR/root-XXXXXX"` to avoid collisions with
$rootmnt. (Closes: #558115.)
+ Exit gracefully if $IP is 'none' or 'off'. (Closes: #692932.)
+ Start dropbear with flag -s to explicitly disable password logins.
+ Terminate all children before killing dropbear, to avoid stalled SSH
connections. (Closes: #735203.)
+ Run configure_networking in the foreground. (Closes: #584780, #626181,
#739519.)
+ Bring down interfaces and flush IP routes and addresses before exiting
the ramdisk, to avoid dirty network configuration in the regular kernel.
(Closes: #715048, #720987, #720988.) The interfaces considered are
those matching the $DROPBEAR_IFDOWN shell pattern (default: '*'); the
special value 'none' keeps all interfaces up and preserves routing
tables and addresses.
-- Guilhem Moulin <email address hidden> Sat, 03 Oct 2015 20:47:33 +0200
Available diffs
dropbear (2013.60-1ubuntu2.1) trusty; urgency=medium * Enable hmac-sha2-256 and hmac-sha2-512 MAC algorithms (LP: #1409798) -- Richard Hansen <email address hidden> Wed, 04 Feb 2015 16:11:03 -0600
Available diffs
- diff from 2013.60-1ubuntu2 to 2013.60-1ubuntu2.1 (626 bytes)
dropbear (2014.65-1ubuntu1.1) utopic; urgency=medium * Enable hmac-sha2-256 and hmac-sha2-512 MAC algorithms (LP: #1409798) -- Richard Hansen <email address hidden> Wed, 04 Feb 2015 16:11:03 -0600
Available diffs
- diff from 2014.65-1ubuntu1 to 2014.65-1ubuntu1.1 (620 bytes)
| Superseded in xenial-release |
| Obsolete in wily-release |
| Obsolete in vivid-release |
| Deleted in vivid-proposed (Reason: moved to release) |
dropbear (2014.65-1ubuntu2) vivid; urgency=medium * Enable hmac-sha2-256 and hmac-sha2-512 MAC algorithms (LP: #1409798) -- Richard Hansen <email address hidden> Wed, 04 Feb 2015 16:11:03 -0600
Available diffs
- diff from 2014.65-1ubuntu1 to 2014.65-1ubuntu2 (622 bytes)
| Superseded in vivid-release |
| Obsolete in utopic-release |
| Deleted in utopic-proposed (Reason: moved to release) |
dropbear (2014.65-1ubuntu1) utopic; urgency=low * Merge from Debian unstable. (LP: #1355670) Remaining changes: + debian/initramfs/premount-devpts, debian/rules: drop the script, this is handled by initramfs-tools. + debian/initramfs/dropbear-hook: do not install dropbear in the initramfs if there's no uncommented line in /etc/crypttab. + debian/initramfs/premout-dropbear: fix so that the network configuration happens before dropbear takes hold of the network card. -- Mattia Rizzolo <email address hidden> Tue, 12 Aug 2014 11:04:21 +0200
Available diffs
- diff from 2013.60-1ubuntu2 to 2014.65-1ubuntu1 (113.4 KiB)
| Superseded in utopic-release |
| Published in trusty-release |
| Deleted in trusty-proposed (Reason: moved to release) |
dropbear (2013.60-1ubuntu2) trusty; urgency=medium
* Fix initramfs hooks so that the network configuration happens before
dropbear takes hold of the network card. (LP: #363958)
* Drop premount-devpts script, this is handled by initramfs-tools.
(LP: #1070992)
* Do not install dropbear in the initramfs if there's no uncommented line in
/etc/crypttab.
-- Margarita Manterola <email address hidden> Wed, 19 Feb 2014 16:26:26 +0000
Available diffs
dropbear (2013.60-1ubuntu1) trusty; urgency=low * Merge from Debian unstable. Remaining changes: (LP: #1274195) - debian/initrmfs/premount-devpts: if /dev/pts is already mounted, don't re-mount it. * debian/diff/autoconfupdate.diff: dropped, not needed anymore.
Available diffs
- diff from 2012.55-1.4ubuntu1 to 2013.60-1ubuntu1 (181.3 KiB)
dropbear (2012.55-1.4ubuntu1) trusty; urgency=low * Merge from Debian unstable. Remaining changes: (LP: #1245984) - Update config.guess,sub for aarch634. - If /dev/pts is already mounted, don't re-mount.
Available diffs
| Superseded in trusty-release |
| Obsolete in saucy-release |
| Obsolete in raring-release |
| Deleted in raring-proposed (Reason: moved to release) |
dropbear (2012.55-1.3ubuntu1) raring-proposed; urgency=low * Merge from Debian unstable. Remaining changes: (LP: #834174) - Update config.guess,sub for aarch634 - If /dev/pts is already mounted, don't re-mount.
Available diffs
dropbear (2012.55-1ubuntu2) quantal; urgency=low * Update config.guess,sub for aarch64 -- Wookey <email address hidden> Mon, 01 Oct 2012 12:56:40 +0100
Available diffs
dropbear (2011.54-1ubuntu0.12.04.2) precise-proposed; urgency=low * If /dev/pts is already mounted, don't re-mount. (LP: #933903) -- Chris J Arges <email address hidden> Fri, 08 Jun 2012 15:30:28 -0500
Available diffs
| Superseded in quantal-release |
dropbear (2012.55-1ubuntu1) quantal; urgency=low * If /dev/pts is already mounted, don't re-mount. (LP: #933903) -- Chris J Arges <email address hidden> Mon, 04 Jun 2012 12:43:57 +0100
Available diffs
dropbear (2011.54-1ubuntu0.12.04.1) precise-security; urgency=low * SECURITY UPDATE: remote execution via use after free (LP: #976360) - debian/diff/0004-Fix-use-after-free-bug-CVE-2012-0920.diff pulled from https://secure.ucc.asn.au/hg/dropbear/rev/818108bf7749 Thanks to Matt Johnston - CVE-2012-0920 -- Julian Taylor <email address hidden> Tue, 24 Apr 2012 22:54:41 +0200
Available diffs
dropbear (0.53.1-1ubuntu1.1) oneiric-security; urgency=low * SECURITY UPDATE: remote execution via use after free (LP: #976360) - debian/diff/0005-Fix-use-after-free-bug-CVE-2012-0920.diff pulled from https://secure.ucc.asn.au/hg/dropbear/rev/818108bf7749 Thanks to Matt Johnston - CVE-2012-0920 -- Julian Taylor <email address hidden> Tue, 24 Apr 2012 22:54:41 +0200
Available diffs
dropbear (0.52-4ubuntu0.10.04.1) lucid-security; urgency=low * SECURITY UPDATE: remote execution via use after free (LP: #976360) - debian/diff/0003-Fix-use-after-free-bug-CVE-2012-0920.diff backported from https://secure.ucc.asn.au/hg/dropbear/rev/818108bf7749 Thanks to Gerrit Pape - CVE-2012-0920 -- Julian Taylor <email address hidden> Tue, 24 Apr 2012 22:54:41 +0200
Available diffs
dropbear (0.52-5+squeeze1build0.11.04.1) natty-security; urgency=low * fake sync from Debian
Available diffs
dropbear (2012.55-1) unstable; urgency=high
* New upstream release.
* Fix use-after-free bug that could be triggered if command="..."
authorized_keys restrictions are used. Could allow arbitrary
code execution or bypass of the command="..." restriction to an
authenticated user. This bug affects releases 0.52 onwards.
Ref CVE-2012-0920 (closes: #661150). Thanks to Danny Fullerton
of Mantor Organization for reporting the bug.
-- Gerrit Pape <email address hidden> Mon, 27 Feb 2012 14:18:53 +0000
Available diffs
- diff from 2011.54-1 to 2012.55-1 (5.4 KiB)
dropbear (2011.54-1) unstable; urgency=low
[ Matt Johnston ]
* new upstream release.
* Added ALLOW_BLANK_PASSWORD option. Dropbear also now allows public
key logins to accounts with a blank password. Thanks to Rob
Landley (closes: #555889).
* Bind to sockets with IPV6_V6ONLY so that it works properly on
systems regardless of the system-wide setting (closes: #636696).
[ Gerrit Pape ]
* debian/control: Standards-Version: 3.9.2.0.
-- Gerrit Pape <email address hidden> Wed, 16 Nov 2011 12:36:03 +0000
Available diffs
dropbear (0.53.1-1ubuntu1) oneiric; urgency=low
* debian/diff/0004-fix-ftbfs-with-binutils-gold.diff:
- Add -lcrypt to fix ftbfs with binutils gold (Closes: #631858).
-- Angel Abad <email address hidden> Mon, 27 Jun 2011 22:39:11 +0200
Available diffs
- diff from 0.53.1-1 to 0.53.1-1ubuntu1 (804 bytes)
dropbear (0.53.1-1) unstable; urgency=low
[ Matt Johnston ]
* New upstream release.
* SSH_ORIGINAL_COMMAND environment variable is set by the server
when an authorized_keys command is specified (closes: #604524).
[ Gerrit Pape ]
* debian/rules: add --enable-bundled-libtom option to ./configure.
* debian/rules: remove -DXAUTH_COMMAND="/usr/bin/X11/xauth -q from
CFLAGS (workaround ./configure stupidity; closes: #625192).
* debian/diff/0003-options.h-use-usr-bin-xauth-instead-of...diff: new;
use /usr/bin/xauth instead of /usr/bin/X11/xauth for XAUTH_COMMAND
(closes: #614355).
-- Ubuntu Archive Auto-Sync <email address hidden> Thu, 05 May 2011 12:02:36 +0000
Available diffs
- diff from 0.52-5 to 0.53.1-1 (77.8 KiB)
dropbear (0.52-5) unstable; urgency=low
[ debian@x.ray.net ]
* debian/dropbear.postinst: initramfs-tools uses a conf-hooks.d/
directory for mkinitramfs ('compiletime') configuration, so to be
sure to read the whole/correct config we need to source the files
in there too, additionally to initramfs.conf (closes: #575504).
* debian/initramfs/dropbear-conf: set UMASK=0077 (closes: #578117).
[ Gerrit Pape ]
* debian/control: Standards-Version: 3.8.4.0.
-- Ubuntu Archive Auto-Sync <email address hidden> Sun, 09 May 2010 13:47:16 +0100
Available diffs
- diff from 0.52-4 to 0.52-5 (979 bytes)
dropbear (0.52-4) unstable; urgency=low
* debian/initramfs/dropbear-hook: allow more than one public key in
initramfs (thx Chris for the patch; closes: #548309).
Available diffs
- diff from 0.52-2 to 0.52-4 (1.8 KiB)
dropbear (0.52-2) unstable; urgency=medium
* debian/initramfs/premount-dropbear: run configure_networking in the
background (thx debian@x.ray.net, closes: #514213, #524728).
* debian/control: Standards-Version: 3.8.2.0.
-- Ubuntu Archive Auto-Sync <email address hidden> Mon, 29 Jun 2009 21:36:20 +0100
Available diffs
- diff from 0.52-1 to 0.52-2 (542 bytes)
dropbear (0.52-1) unstable; urgency=low
[ Matt Johnston ]
* New upstream release.
* dbclient.1: mention optional 'command' argument (closes: #495823).
[ Gerrit Pape ]
* debian/diff/0001-dbclient.1-dbclient-uses-compression-if...diff:
new; dbclient.1: dbclient uses compression if compiled with zlib
support (thx Luca Capello, closes: #495825).
* debian/initramfs/*: new; cryptroot remote unlocking on boot feature
(thx debian@x.ray.net).
* debian/rules: install debian/initramfs/* (thx debian@x.ray.net).
* debian/control: Suggests: udev (for cryptroot support, thx
debian@x.ray.net).
* debian/dropbear.postinst: conditionally run update-initramfs -u
(for cryptroot support, thx debian@x.ray.net. closes: #465903).
* debian/diff/0002-dropbearkey.8-mention-y-option-add-example.diff:
new; mention -y option, add example (thx debian@x.ray.net).
-- Ubuntu Archive Auto-Sync <email address hidden> Sat, 22 Nov 2008 23:53:59 +0000
Available diffs
- diff from 0.51-1 to 0.52-1 (79.9 KiB)
dropbear (0.51-1) unstable; urgency=low
[ Matt Johnston ]
* New upstream release.
- Wait until a process exits before the server closes a connection,
so that an exit code can be sent. This fixes problems with exit
codes not being returned, which could cause scp to fail (closes:
#448397, #472483).
[ Gerrit Pape ]
* debian/dropbear.postinst: don't print an error message if the
update-service program is not installed (thx Matt).
dropbear (0.50-2) unstable; urgency=low
* debian/dropbear.README.Debian: no longer talk about entropy from
/dev/random, /dev/urandom is now used by default (thx Joey Hess,
closes: #441515).
dropbear (0.49-2) unstable; urgency=low
* debian/rules: apply diffs from debian/diff/ with patch -p1 instead of
-p0.
* debian/diff/0001-options.h-use-dev-urandom-instead-of-dev-random-a.diff:
new; options.h: use /dev/urandom instead of /dev/random as
DROPBEAR_RANDOM_DEV (closes: #386976).
* debian/rules: target clean: remove libtomcrypt/Makefile,
libtommath/Makefile.
-- Ubuntu Archive Auto-Sync <email address hidden> Mon, 11 Jun 2007 18:40:14 +0100
dropbear (0.49-1) unstable; urgency=high
* new upstream release, fixes
* CVE-2007-1099: dropbear dbclient insufficient warning on hostkey
mismatch (closes: #412899).
* dbclient uses static "Password:" prompt instead of using the server's
prompt (closes: #394996).
* debian/control: Suggests: openssh-client, not ssh (closes: #405686);
Standards-Version: 3.7.2.2.
* debian/README.Debian: ssh -> openssh-server, openssh-client; remove
'Replacing OpenSSH "sshd" with Dropbear' part, this is simply done by not
installing the openssh-server package.
* debian/README.runit: runsvstat -> sv status.
-- Michael Bienia <email address hidden> Wed, 07 Mar 2007 22:09:16 +0000
dropbear (0.48.1-1) unstable; urgency=medium
* new upstream point release.
* Compile fix for scp
* debian/diff/dbclient.1.diff: new: document -R option to dbclient
accurately (thx Markus Schaber; closes: #351882).
* debian/dropbear.README.Debian: document a workaround for systems with
possibly blocking /dev/random device (closes: #355414)..
| Obsolete in breezy-security |
dropbear (0.45-3ubuntu0.1) breezy-security; urgency=low
* SECURITY:
- svr-chansession.c:addchildpid(): Fix incorrect expression
evaluation order that results in a buffer overflow, leading to
arbitrary code execution. Patch adapted from:
http://security.debian.org/pool/updates/main/d/dropbear/dropbear_0.45-2sarge0.diff.gz
* Reference: CVE-2005-4178
-- Daniel T Chen <email address hidden> Wed, 21 Dec 2005 01:46:34 -0800
| Obsolete in hoary-security |
dropbear (0.43-2ubuntu0.1) hoary-security; urgency=low
* SECURITY:
- chansession.c:addchildpid(): Fix incorrect expression evaluation
order that results in a buffer overflow, leading to arbitrary
code execution. Patch adapted from:
http://security.debian.org/pool/updates/main/d/dropbear/dropbear_0.45-2sarge0.diff.gz
* Reference: CVE-2005-4178
-- Daniel T Chen <email address hidden> Wed, 21 Dec 2005 02:02:26 -0800
| Obsolete in warty-security |
dropbear (0.42-1ubuntu0.1) warty-security; urgency=low
* SECURITY:
- chansession.c:addchildpid(): Fix incorrect expression evaluation
order that results in a buffer overflow, leading to arbitrary
code execution. Patch adapted from:
http://security.debian.org/pool/updates/main/d/dropbear/dropbear_0.45-2sarge0.diff.gz
+ Reference: CVE-2005-4178
- dss.c:buf_dss_verify(), rsa.c:buf_rsa_verify(): Don't attempt to
free uninitialised buffers. Patch adapted from diff between
upstream versions 0.42 and 0.43.
+ Reference:
http://lists.ucc.gu.uwa.edu.au/pipermail/dropbear/2004q3/000065.html
-- Daniel T Chen <email address hidden> Wed, 21 Dec 2005 02:10:00 -0800
dropbear (0.47-1) unstable; urgency=high * New upstream release. * SECURITY: Fix incorrect buffer sizing. -- Matt Johnston <email address hidden> Thu, 8 Dec 2005 19:20:21 +0800
dropbear (0.45-3) unstable; urgency=low
* debian/dropbear.init: init script prints human readable message in case
it's disabled (closes: #309099).
* debian/dropbear.postinst: configure: restart service through init script
instead of start.
* debian/dropbear.prerm: set -u -> set -e.
-- Gerrit Pape <email address hidden> Wed, 25 May 2005 22:38:17 +0000
dropbear (0.43-2) unstable; urgency=high
* Matt Johnston:
* New upstream release 0.43
* SECURITY: Don't attempt to free uninitialised buffers in DSS verification
code
* Handle portforwarding to servers which don't send any initial data
(Closes: #258426)
* debian/dropbear.postinst: remove code causing bothersome warning on
package install (closes: #256752).
* debian/README.Debian.diet: new; how to build with the diet libc.
* debian/dropbear.docs: add debian/README.Debian.diet.
* debian/rules: support "diet" in DEB_BUILD_OPTIONS; minor cleanup.
-- Gerrit Pape <email address hidden> Sat, 17 Jul 2004 19:31:19 +0000
dropbear (0.42-1) unstable; urgency=low * New upstream release 0.42. * debian/diff/cvs-20040520.diff: remove; obsolete. * debian/rules: disable target patch. -- Matt Johnston <email address hidden> Wed, 16 June 2004 12:44:54 +0800
| 1 → 74 of 74 results | First • Previous • Next • Last |
