dropbear (2012.55-1.3+deb7u2) wheezy-security; urgency=high

  * Backport fix for CVE-2017-9079 from 2017.75: information disclosure with
    ~/.ssh/authorized_keys symlink.
    Dropbear parsed authorized_keys as root, even if it were a symlink. The
    fix is to switch to user permissions when opening authorized_keys A user
    could symlink their ~/.ssh/authorized_keys to a root-owned file they
    couldn't normally read. If they managed to get that file to contain valid
    authorized_keys with command= options it might be possible to read other
    contents of that file.
    This information disclosure is to an already authenticated user.

 -- Guilhem Moulin <guilhem@debian.org>  Sat, 20 May 2017 20:49:16 +0200

dropbear (2012.55-1.3+deb7u1) wheezy-security; urgency=high

  * Move to "3.0 (quilt)" source format for patch clarity.
  * CVE-2016-7406: Improve exit message formatting.
  * CVE-2016-7407: Fix potential segfaults in parsing OpenSSH's ASN.1 key
    format.

 -- Chris Lamb <lamby@debian.org>  Fri, 23 Sep 2016 20:32:22 +0200

dropbear (2012.55-1.3) unstable; urgency=medium

  * Non-maintainer upload.
  * Fix initramfs hook when multiple variant of libc are installed.
    All credits due to Helmut Grohne for the report and the solution.
    (Closes: #682964)

 -- Jérémy Bobbio <lunar@debian.org>  Thu, 08 Nov 2012 10:45:01 +0100

dropbear (2012.55-1.2) unstable; urgency=low

  * Non-maintainer upload.
  * Unbreak initramfs hook when upgrading from Squeeze.

 -- Jérémy Bobbio <lunar@debian.org>  Tue, 25 Sep 2012 16:53:18 +0200

dropbear (2012.55-1.1) unstable; urgency=low

  * Non-maintainer upload.
  * Adjust initramfs hook to work with multi-arch. Initial patch by
    Michael Stapelberg. (Closes: #630581)

 -- Jérémy Bobbio <lunar@debian.org>  Tue, 25 Sep 2012 09:17:06 +0200

dropbear (2012.55-1) unstable; urgency=high

  * New upstream release.
    * Fix use-after-free bug that could be triggered if command="..."
      authorized_keys restrictions are used.  Could allow arbitrary
      code execution or bypass of the command="..." restriction to an
      authenticated user.  This bug affects releases 0.52 onwards.
      Ref CVE-2012-0920 (closes: #661150).  Thanks to Danny Fullerton
      of Mantor Organization for reporting the bug.

 -- Gerrit Pape <pape@smarden.org>  Mon, 27 Feb 2012 14:18:53 +0000

dropbear (2011.54-1) unstable; urgency=low

  [ Matt Johnston ]
  * new upstream release.
    * Added ALLOW_BLANK_PASSWORD option. Dropbear also now allows public
      key logins to accounts with a blank password. Thanks to Rob
      Landley (closes: #555889).
    * Bind to sockets with IPV6_V6ONLY so that it works properly on
      systems regardless of the system-wide setting (closes: #636696).

  [ Gerrit Pape ]
  * debian/control: Standards-Version: 3.9.2.0.

 -- Gerrit Pape <pape@smarden.org>  Wed, 16 Nov 2011 12:36:03 +0000

dropbear (0.53.1-1) unstable; urgency=low

  [ Matt Johnston ]
  * New upstream release.
    * SSH_ORIGINAL_COMMAND environment variable is set by the server
      when an authorized_keys command is specified (closes: #604524).

  [ Gerrit Pape ]
  * debian/rules: add --enable-bundled-libtom option to ./configure.
  * debian/rules: remove -DXAUTH_COMMAND="/usr/bin/X11/xauth -q from
    CFLAGS (workaround ./configure stupidity; closes: #625192).
  * debian/diff/0003-options.h-use-usr-bin-xauth-instead-of...diff: new;
    use /usr/bin/xauth instead of /usr/bin/X11/xauth for XAUTH_COMMAND
    (closes: #614355).

 -- Gerrit Pape <pape@smarden.org>  Mon, 02 May 2011 16:35:14 +0000

dropbear (0.52-5) unstable; urgency=low

  [ debian@x.ray.net ]
  * debian/dropbear.postinst: initramfs-tools uses a conf-hooks.d/
    directory for mkinitramfs ('compiletime') configuration, so to be
    sure to read the whole/correct config we need to source the files
    in there too, additionally to initramfs.conf (closes: #575504).
  * debian/initramfs/dropbear-conf: set UMASK=0077 (closes: #578117).

  [ Gerrit Pape ]
  * debian/control: Standards-Version: 3.8.4.0.

 -- Gerrit Pape <pape@smarden.org>  Sun, 18 Apr 2010 23:04:36 +0000

dropbear (0.52-4) unstable; urgency=low

  * debian/initramfs/dropbear-hook: allow more than one public key in
    initramfs (thx Chris for the patch; closes: #548309).

 -- Gerrit Pape <pape@smarden.org>  Tue, 06 Oct 2009 01:51:42 +0000

dropbear (0.52-3) unstable; urgency=low

  * debian/rules: configure: add XAUTH_COMMAND="/usr/bin/X11/xauth -q"
    to CFLAGS (thx Axel Beckert, Colin Watson; closes: #532900).
  * debian/dropbear.init: Improve abort messages due to
    /etc/default/dropbear::NO_START (thx Jari Aalto for the patch;
    closes: #541432).
  * debian/control: Provides: ssh-server (thx Steffen Moeller; closes:
    #543174)
  * debian/control: Suggests: xauth (thx Francis Russell; closes:
    #508233).

 -- Gerrit Pape <pape@smarden.org>  Thu, 24 Sep 2009 14:37:17 +0000

dropbear (0.52-2) unstable; urgency=medium

  * debian/initramfs/premount-dropbear: run configure_networking in the
    background (thx debian@x.ray.net, closes: #514213, #524728).
  * debian/control: Standards-Version: 3.8.2.0.

 -- Gerrit Pape <pape@smarden.org>  Sun, 28 Jun 2009 23:22:39 +0000

dropbear (0.52-1) unstable; urgency=low

  [ Matt Johnston ]
  * New upstream release.
    * dbclient.1: mention optional 'command' argument (closes: #495823).

  [ Gerrit Pape ]
  * debian/diff/0001-dbclient.1-dbclient-uses-compression-if...diff:
    new; dbclient.1: dbclient uses compression if compiled with zlib
    support (thx Luca Capello, closes: #495825).
  * debian/initramfs/*: new; cryptroot remote unlocking on boot feature
    (thx debian@x.ray.net).
  * debian/rules: install debian/initramfs/* (thx debian@x.ray.net).
  * debian/control: Suggests: udev (for cryptroot support, thx
    debian@x.ray.net).
  * debian/dropbear.postinst: conditionally run update-initramfs -u
    (for cryptroot support, thx debian@x.ray.net. closes: #465903).
  * debian/diff/0002-dropbearkey.8-mention-y-option-add-example.diff:
    new; mention -y option, add example (thx debian@x.ray.net).

 -- Gerrit Pape <pape@smarden.org>  Wed, 19 Nov 2008 20:58:59 +0000

dropbear (0.51-1) unstable; urgency=low

  [ Matt Johnston ]
  * New upstream release.
    - Wait until a process exits before the server closes a connection,
      so that an exit code can be sent. This fixes problems with exit
      codes not being returned, which could cause scp to fail (closes:
      #448397, #472483).
  
  [ Gerrit Pape ]
  * debian/dropbear.postinst: don't print an error message if the
    update-service program is not installed (thx Matt).

 -- Gerrit Pape <pape@smarden.org>  Thu, 27 Mar 2008 20:08:06 +0000

dropbear (0.50-4) unstable; urgency=low

  * debian/dropbear.init: apply patch from Petter Reinholdtsen: add LSB
    formatted dependency info in init.d script (closes: #466257).
  * debian/rules: no longer include symlinks for ./supervise/ subdirectories.
  * debian/dropbear.postinst: upgrade from << 0.50-4: if dropbear is managed
    by runit, remove service, and re-add using update-service(8).
  * debian/control: Standards-Version: 3.7.3.0.
  * debian/rules: target clean: don't ignore errors but check for readable
    ./Makefile.

 -- Gerrit Pape <pape@smarden.org>  Thu, 06 Mar 2008 19:06:58 +0000

dropbear (0.50-3) unstable; urgency=low

  * debian/dropbear.init: use the update-service(8) program from the runit
    package instead of directly checking for the symlink in /var/service/.
  * debian/README.runit: talk about update-service(8) instead of symlinks
    in /var/service/.

 -- Gerrit Pape <pape@smarden.org>  Fri, 15 Feb 2008 00:32:37 +0000

dropbear (0.50-2) unstable; urgency=low

  * debian/dropbear.README.Debian: no longer talk about entropy from
    /dev/random, /dev/urandom is now used by default (thx Joey Hess,
    closes: #441515).

 -- Gerrit Pape <pape@smarden.org>  Mon, 24 Sep 2007 16:49:17 +0000

dropbear (0.50-1) unstable; urgency=low

  * debian/README.runit: minor.
  * new upstream version.
  * debian/diff/0001-options.h-use-dev-urandom-instead-of-dev-random-a.diff:
    remove; fixed upstream.

 -- Gerrit Pape <pape@smarden.org>  Thu, 09 Aug 2007 23:01:01 +0000

dropbear (0.49-2) unstable; urgency=low

  * debian/rules: apply diffs from debian/diff/ with patch -p1 instead of
    -p0.
  * debian/diff/0001-options.h-use-dev-urandom-instead-of-dev-random-a.diff:
    new; options.h: use /dev/urandom instead of /dev/random as
    DROPBEAR_RANDOM_DEV (closes: #386976).
  * debian/rules: target clean: remove libtomcrypt/Makefile,
    libtommath/Makefile.

 -- Gerrit Pape <pape@smarden.org>  Sat, 09 Jun 2007 08:59:59 +0000

dropbear (0.49-1) unstable; urgency=high

  * new upstream release, fixes
    * CVE-2007-1099: dropbear dbclient insufficient warning on hostkey
      mismatch (closes: #412899).
    * dbclient uses static "Password:" prompt instead of using the server's
      prompt (closes: #394996).
  * debian/control: Suggests: openssh-client, not ssh (closes: #405686);
    Standards-Version: 3.7.2.2.
  * debian/README.Debian: ssh -> openssh-server, openssh-client; remove
    'Replacing OpenSSH "sshd" with Dropbear' part, this is simply done by not
    installing the openssh-server package.
  * debian/README.runit: runsvstat -> sv status.

 -- Gerrit Pape <pape@smarden.org>  Fri,  2 Mar 2007 20:48:18 +0000

dropbear (0.48.1-1) unstable; urgency=medium

  * new upstream point release.
    * Compile fix for scp
  * debian/diff/dbclient.1.diff: new: document -R option to dbclient
    accurately (thx Markus Schaber; closes: #351882).
  * debian/dropbear.README.Debian: document a workaround for systems with
    possibly blocking /dev/random device (closes: #355414)..

 -- Gerrit Pape <pape@smarden.org>  Sun, 16 Apr 2006 16:16:40 +0000

dropbear (0.48-1) unstable; urgency=medium

  * New upstream release.
  * SECURITY: Improve handling of denial of service attempts from a single
    IP.

  * debian/implicit: update to revision 1.11.
  * new upstream release updates to scp from OpenSSH 4.3p2 - fixes a
    security issue where use of system() could cause users to execute
    arbitrary code through malformed filenames; CVE-2006-0225 (see also
    #349645); the scp binary is not provided by this package though.

 -- Gerrit Pape <pape@smarden.org>  Fri, 10 Mar 2006 22:00:32 +0000

dropbear (0.47-1) unstable; urgency=high

  * New upstream release.
  * SECURITY: Fix incorrect buffer sizing; CVE-2005-4178.

 -- Matt Johnston <matt@ucc.asn.au>  Thu, 8 Dec 2005 19:20:21 +0800

dropbear (0.46-2) unstable; urgency=low

  * debian/control: Standards-Version: 3.6.2.1; update descriptions to
    mention included server and client (thx Tino Keitel).
  * debian/dropbear.init: allow '/etc/init.d/dropbear stop' even though
    'NO_START is not set to zero.' (closes: #336723).

 -- Gerrit Pape <pape@smarden.org>  Tue,  6 Dec 2005 13:30:49 +0000

dropbear (0.46-1) unstable; urgency=medium

  * New upstream release, various fixes.
  * debian/diff/dbclient-usage-typo.diff, debian/diff/manpages.diff: remove;
    obsolete.
  * debian/dbclient.1: move to ./dbclient.1.

 -- Matt Johnston <matt@ucc.asn.au>  Fri, 8 July 2005 21:32:55 +0800

dropbear (0.45-3) unstable; urgency=low

  * debian/dropbear.init: init script prints human readable message in case
    it's disabled (closes: #309099).
  * debian/dropbear.postinst: configure: restart service through init script
    instead of start.
  * debian/dropbear.prerm: set -u -> set -e.

 -- Gerrit Pape <pape@smarden.org>  Wed, 25 May 2005 22:38:17 +0000

dropbear (0.45-2) unstable; urgency=low

  * Matt Johnston:
    * New upstream release, various fixes.

 -- Gerrit Pape <pape@smarden.org>  Sat, 12 Mar 2005 15:17:55 +0000

dropbear (0.44-1) unstable; urgency=low

  * New upstream release.
  * debian/rules: install /usr/bin/dbclient; handle possible patches more
    gracefully; install debian/dbclient.1 man page; enable target patch;
    minor.
  * debian/implicit: update to revision 1.10.
  * debian/dbclient.1: new; man page.
  * debian/diff/dbclient-usage-typo.diff: new; fix typo.
  * debian/diff/manpages.diff: new; add references to dbclient man page.

 -- Gerrit Pape <pape@smarden.org>  Sat,  8 Jan 2005 22:50:43 +0000

dropbear (0.43-2) unstable; urgency=high

  * Matt Johnston:
    * New upstream release 0.43
    * SECURITY: Don't attempt to free uninitialised buffers in DSS verification
      code
    * Handle portforwarding to servers which don't send any initial data
      (Closes: #258426)
  * debian/dropbear.postinst: remove code causing bothersome warning on
    package install (closes: #256752).
  * debian/README.Debian.diet: new; how to build with the diet libc.
  * debian/dropbear.docs: add debian/README.Debian.diet.
  * debian/rules: support "diet" in DEB_BUILD_OPTIONS; minor cleanup.

 -- Gerrit Pape <pape@smarden.org>  Sat, 17 Jul 2004 19:31:19 +0000

dropbear (0.42-1) unstable; urgency=low

  * New upstream release 0.42.
  * debian/diff/cvs-20040520.diff: remove; obsolete.
  * debian/rules: disable target patch.

 -- Matt Johnston <matt@ucc.asn.au>  Wed, 16 June 2004 12:44:54 +0800

dropbear (0.41-3) unstable; urgency=low

  * 1st upload to the Debian archive (closes: #216553).
  * debian/diff/cvs-20040520.diff: new; stable cvs snapshot.
  * debian/rules: new target patch: apply diffs in debian/diff/, reverse
    apply in target clean; install man pages.
  * debian/control: Priority: optional.

 -- Gerrit Pape <pape@smarden.org>  Sun, 23 May 2004 08:32:37 +0000

dropbear (0.41-2) unstable; urgency=low

  * new maintainer.
  * debian/control: no longer Build-Depends: debhelper; Build-Depends:
    libz-dev; Standards-Version: 3.6.1.0; Suggests: runit; update
    descriptions.
  * debian/rules: stop using debhelper, use implicit rules; cleanup;
    install dropbearconvert into /usr/lib/dropbear/.
  * debian/impicit: new; implicit rules.
  * debian/copyright.in: adapt.
  * debian/dropbear.init: minor adaptions; test for dropbear service
    directory.
  * debian/README.runit: new; how to use dropbear with runit.
  * debian/README.Debian, debian/docs: rename to debian/dropbear.*.
  * debian/dropbear.docs: add debian/README.runit
  * debian/conffiles: rename to debian/dropbear.conffiles; add init
    script, and run scripts.
  * debian/postinst: rename to debian/dropbear.postinst; adapt; use
    invloke-rc.d dropbear start.
  * debian/dropbear.prerm: new; invoke-rc.d dropbear stop.
  * debian/postrm: rename to debian/dropbear.postrm; adapt; clean up
    service directories.
  * debian/compat, debian/dirs, dropbear.default: remove; obsolete.

 -- Gerrit Pape <pape@smarden.org>  Sun, 16 May 2004 16:50:55 +0000

dropbear (0.41-1) unstable; urgency=low

  * Updated to 0.41 release.
  * Various minor fixes

 -- Matt Johnston <matt@ucc.asn.au>  Mon, 19 Jan 2004 23:20:54 +0800

dropbear (0.39-1) unstable; urgency=low

  * updated to 0.39 release. Some new features, some bugfixes.

 -- Matt Johnston <matt@ucc.asn.au>  Tue, 16 Dec 2003 16:20:54 +0800

dropbear (0.38-1) unstable; urgency=medium

  * updated to 0.38 release - various important bugfixes

 -- Matt Johnston <matt@ucc.asn.au>  Sat, 11 Oct 2003 16:28:54 +0800

dropbear (0.37-1) unstable; urgency=medium

  * updated to 0.37 release - various important bugfixes

 -- Matt Johnston <matt@ucc.asn.au>  Wed, 24 Sept 2003 19:43:54 +0800

dropbear (0.36-1) unstable; urgency=high

  * updated to 0.36 release - various important bugfixes

 -- Matt Johnston <matt@ucc.asn.au>  Tues, 19 Aug 2003 12:20:54 +0800

dropbear (0.35-1) unstable; urgency=high

  * updated to 0.35 release - contains fix for remotely exploitable
    vulnerability.

 -- Matt Johnston <matt@ucc.asn.au>  Sun, 17 Aug 2003 05:37:47 +0800

dropbear (0.34-1) unstable; urgency=medium

  * updated to 0.34 release

 -- Matt Johnston <matt@ucc.asn.au>  Fri, 15 Aug 2003 15:10:00 +0800

dropbear (0.33-1) unstable; urgency=medium

  * updated to 0.33 release

 -- Matt Johnston <matt@ucc.asn.au>  Sun, 22 Jun 2003 22:22:00 +0800

dropbear (0.32cvs-1) unstable; urgency=medium

  * now maintained in UCC CVS
  * debian/copyright.in file added, generated from LICENSE

 -- Grahame Bowland <grahame@angrygoats.net>  Tue, 21 Jun 2003 17:57:02 +0800

dropbear (0.32cvs-1) unstable; urgency=medium

  * sync with CVS
  * fixes X crash bug

 -- Grahame Bowland <grahame@angrygoats.net>  Tue, 20 Jun 2003 15:04:47 +0800

dropbear (0.32-2) unstable; urgency=low

  * fix creation of host keys to use correct names in /etc/dropbear
  * init script "restart" function fixed
  * purging this package now deletes the host keys and /etc/dropbear
  * change priority in debian/control to 'standard'

 -- Grahame Bowland <grahame@angrygoats.net>  Tue, 17 Jun 2003 15:04:47 +0800

dropbear (0.32-1) unstable; urgency=low

  * Initial Release.

 -- Grahame Bowland <grahame@angrygoats.net>  Tue, 17 Jun 2003 15:04:47 +0800

