Published release of the project Dropbear 2026.90, developing a server and SSH client that has become widespread in wireless routers and compact distributions like OpenWrt. Dropbear is characterized by low memory consumption, the ability to disable unnecessary functionality at the build stage, and support for building the client and server in one executable file, similar to busybox. When statically linked to uClibc, the Dropbear executable is only 110kB. Dropbear supports X11 forwarding, is compatible with the OpenSSH key file (~/.ssh/authorized_keys) and can create multi-connections with forwarding through a transit host. The project code is written in C and distributed under a license close to MIT.
The new version fixes several security problems:
- Incomplete elimination of a vulnerability in scp (CVE-2019-6111), which allows other files to be overwritten when connecting to a malicious server. When using scp, the server decides which files and directories to send to the client, and the client only checks the correctness of the returned object names. Client-side checking blocks traversal of the current directory (“../”), but in the case of recursive copying (-r) does not take into account cases of passing directories with names different from those originally requested. The issue was resolved by ban using the “-r” option with an existing target directory.
- Vulnerability (CVE-2026-35385) in scp utility, due to which, after loading a file as root with the “-O” option and without the “-p” option, the setuid/setgid flags were not cleared.
- Ability to bypass the “forced_command” command in the settings authorized_keys when connecting an authenticated user using the “-t” option (login with password and public key verification).
- Denial of service through the creation by a local user of a special file named authorized_keys, which blocks read operations.