-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Wed, 05 Mar 2025 17:20:35 +0100
Source: dropbear
Architecture: source
Version: 2025.87-1
Distribution: unstable
Urgency: low
Maintainer: Guilhem Moulin <guilhem@debian.org>
Changed-By: Guilhem Moulin <guilhem@debian.org>
Changes:
dropbear (2025.87-1) unstable; urgency=low
.
* New upstream release. Highlights includes:
+ Post-quantum key exchange algorithms sntrup761 and ML-KEM are now
supported.
.
+ Compression is now disabled for dropbear(8) in the client to server
direction. This avoids attack surface for zlib, and also saves 35kB
runtime RAM for the decompression context.
.
+ Due to vulnerabilities in the SHA-1 digest algorithm, dropbear(8) and
dbclient(1) are now built without support for the ‘hmac-sha1’ integrity
algorithm, ‘ssh-rsa’ key algorithm, and ‘diffie-hellman-group14-sha1’
key exchange algorithm. (The ‘diffie-hellman-group1-sha1’ key exchange
algorithm, which also uses SHA-1, has been disabled at build time for
dropbear(8) since 2018.76-1, but remains available to dbclient(1).)
.
Note that OpenSSH has disabled support for these algorithms by default
(runtime) since 8.8. There is *no need* to rotate existing RSA host or
user keys: OpenSSH has been supporting RFC8332 RSA/SHA-256/512
signatures since 7.2, and dropbear since 2020.79. However this change
might break connection to legacy servers resp. from legacy clients.
Checksums-Sha1:
4293614e8ad13e83520d735463c1976a9a545047 2543 dropbear_2025.87-1.dsc
df13b7bf1cb6f5806d2c9950bc72a8bd565200c4 2368085 dropbear_2025.87.orig.tar.bz2
b52e4b6f514d5a44f192497ec31ad52a77668d7e 833 dropbear_2025.87.orig.tar.bz2.asc
bbc832550579cff1e861791053fec0291bf4f395 34784 dropbear_2025.87-1.debian.tar.xz
24806a827c9a491959e34983f57ae2a4f3d56f8b 6665 dropbear_2025.87-1_amd64.buildinfo
Checksums-Sha256:
9b5e1a111c07caa27c6ce86d4c8687dd6d34791a3ef069bf36b021355e116339 2543 dropbear_2025.87-1.dsc
738b7f358547f0c64c3e1a56bbc5ef98d34d9ec6adf9ccdf01dc0bf2caa2bc8d 2368085 dropbear_2025.87.orig.tar.bz2
af24198895f604c2e114abe29a2f0c3fe30831e6db26e0f93fd5f78e734b61be 833 dropbear_2025.87.orig.tar.bz2.asc
6cd9245390a8dc620a55994b02a2811098873725c83f138cdec0ae3f90599fa2 34784 dropbear_2025.87-1.debian.tar.xz
aeee62f81dd2eae87681d7b19e32f51f1aedbc2462a45ddbba9a57ecedfc757d 6665 dropbear_2025.87-1_amd64.buildinfo
Files:
b5b364c619f3e128b26dc403eb8fc9d9 2543 net optional dropbear_2025.87-1.dsc
6744879d0fd110601fe008fa98cb16ad 2368085 net optional dropbear_2025.87.orig.tar.bz2
631684562e306041f4deb15115696023 833 net optional dropbear_2025.87.orig.tar.bz2.asc
7cec2aa7f51bb9c63f3ab2a9c66e6f4d 34784 net optional dropbear_2025.87-1.debian.tar.xz
f0398a22b745e0f0c605b2ce92aa9e8d 6665 net optional dropbear_2025.87-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEERpy6p3b9sfzUdbME05pJnDwhpVIFAmfIhvMACgkQ05pJnDwh
pVLuRQ//cH/LD/Itq9maV5XGNEVOwOlD+P/TBZp0nYLmsSfFnkE6nOHDBPWqjN0q
k5TjgN4xtFezXKfH3JqI+CmptTEs71wmLoEUOJrTSRa6MhFRpCXxM5ZfYzOp2tVY
ziU2BXp0C2n7rpNcUoF0iHoA5U/jU5LZgFOGdCINBfBb+kbuKwzTFB8zmGx/OBjf
yMuqjspCD9DMHo/HtuGrE+HtBy4A8UYy5qorxPjQbyxvHz54tiHguyHI3Pf7Uh64
nkbAlq+bbGWIy9QQPCpki4EbfBq4omR1bJAsKKepNLklaZO3zJIH+Y1B6xgLqLpR
DW1DIBpxqTD5J86G8ueGdciM0WeQKvf13Y5DdqLJA8GUAo/63UzIzunYB4dVfJLd
e/eVQH9CAd5OwOZQ/2/3k2tW31pB3iHq9zlTNiSflkay6hLnRATfT0bZWduXvpsw
G4/2lKTJDOlEmON+RkBhD90AFPFwvQnvwnr2OLSvadKE+Ix2JiO+0X5uN8N+vbsv
hTHejDxHXSwhcq0hSylQhId2Gv7A33oj5/H6s4p/T8VYCftzPe9OTU74e5Fqike3
2ZNUkwnZnQgUwJUwyweo2l5WYGQONBJ/UJdhHe4F+DsYvbX17517trwxY27nt+iH
7HmCeBEY51lpvkkR6PudyMsOGL3BV2MzDnoKWCKWwZXNmLUodtE=
=K/pO
-----END PGP SIGNATURE-----
