dropbear (2022.83-1+deb12u2) bookworm; urgency=medium
* Fix noremotetcp behavior. Keepalive packets were being ignored when the
‛-k’ flag (or ‛no-port-forwarding’ authorized_keys(5) restriction) was
used. (Closes: #1069768)
-- Guilhem Moulin <guilhem@debian.org> Tue, 09 Jul 2024 14:22:02 +0200
dropbear (2022.83-1+deb12u1) bookworm; urgency=medium
* Fix CVE-2023-48795: (terrapin attack): The SSH transport protocol with
certain OpenSSH extensions allows remote attackers to bypass integrity
checks such that some packets are omitted (from the extension negotiation
message), and a client and server may consequently end up with a
connection for which some security features have been downgraded or
disabled, aka a Terrapin attack. (Closes: #1059001)
-- Guilhem Moulin <guilhem@debian.org> Fri, 26 Jan 2024 10:01:00 +0100
dropbear (2022.83-1) unstable; urgency=medium
* New upstream release 2022.83. Support for ssh-dss (DSA) host and user
keys is disabled by default at compile-time. Such keys are considered
insecure as they are only 1024 bits long and use the SHA-1 digest
algorithm. Note that OpenSSH disables support for such keys at run-time
since 7.0/7.0p1.
* Reflect ssh-dss deprecation in maintscripts and NEWS file.
* d/t/remote-unlocking: Use 2 vCPUs.
-- Guilhem Moulin <guilhem@debian.org> Mon, 14 Nov 2022 22:16:35 +0100
dropbear (2022.82-4.1) unstable; urgency=medium
* Non-maintainer upload.
* No source change upload to rebuild with debhelper 13.10.
-- Michael Biebl <biebl@debian.org> Sat, 15 Oct 2022 12:01:59 +0200
dropbear (2022.82-4) unstable; urgency=medium
[ Guilhem Moulin ]
* d/rules: Inspect DEB_BUILD_* with $(filter ,) not $(findstring ,).
* Salsa CI: Remove default configuration file.
* Update standards version to 4.6.1, no changes needed.
* d/t/remote-unlocking: Mask systemd-firstboot.service to fix debci with
systemd 251.5-1.
* d/copyright: typofix.
* Refresh lintian overrides to accommodate lintian v2.115.
[ Steve Langasek ]
* DEP-8: Call mkdir with -p to fix autopkgtest on Ubuntu. (Closes: #1017876)
-- Guilhem Moulin <guilhem@debian.org> Wed, 05 Oct 2022 20:20:13 +0200
dropbear (2022.82-3) unstable; urgency=low
* d/t/upstream-tests: Set DBTEST_IN_ACTION=true so we don't skip
test_svrauth.py.
* d/t/upstream-tests: Guard against direct use.
* d/dropbear.preinst: Also migrate *unmodified* /etc/default/dropbear from
Jessie, Stretch, and Buster to conffile. Existing files were never
touched by postinst, so it makes sense to migrate known stock versions
older than Bullseye.
* d/t/remote-unlocking: Don't look for swap in the validation phase as doing
so is racy.
* d/patches: Fix FTBFS on hurd-i386.
* Add d/u/metadata.
* d/dropbear.postrm: Minor quoting improvements
* d/t/control: Improve comment in remote-unlocking test.
-- Guilhem Moulin <guilhem@debian.org> Mon, 04 Apr 2022 23:32:24 +0200
dropbear (2022.82-2) unstable; urgency=medium
* d/dropbear.postrm: Remove redundant `rm` call.
* d/t/upstream-tests: Run pytest in ./test.
* d/p: Raise connection delay in test/test_channels.py to make it pass on
slower machines (such as the armhf debci runners).
-- Guilhem Moulin <guilhem@debian.org> Sun, 03 Apr 2022 10:00:11 +0200
dropbear (2022.82-1) unstable; urgency=medium
[ Matt Johnston ]
* New upstream release 2022.82. Highlights include:
- dropbearconvert(1): Support converting from OpenSSH (>=7.8) private key
format (closes: #955384), and convert to that format rather than PEM
- Reworked -v verbose printing, specifying multiple times will increase
verbosity.
- Added server support for U2F/FIDO keys (ecdsa-sk and ed25519-sk) in
authorized_keys(5).
- Use a separate $PATH when logging in as root (closes: #903403).
- Disable dh-group1 key exchange by default. It has been disabled server
side by default since 2018.76-1.
- Removed Twofish cipher.
[ Lee Garrett ]
* initramfs script configuration: Add quotes to indicate they're required.
(Closes: #1003951)
[ Guilhem Moulin ]
* Add missing build dependency on dh addon.
* initramfs script configuration: Clarify that assignment follow shell
semantics.
* d/gbp.conf: Add upstream VCS tag as additional parent to upstream/$VERSION.
* Run wrap-and-sort(1).
* Fix autopkgtest for non-sid suites.
* Create localoptions.h in d/rules not from d/patches.
* d/localoptions.h: Hardcode PATH environment variable when a regular user
resp. the superuser logs in to the login.defs(5) default values, namely
"/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games" resp.
"/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin".
* d/tests: Run the upstream test suite as a DEP-8 test. We skip it at build
time since it needs access to ~/.ssh which is forbidden in the build
environment.
* Update d/copyright.
* d/rules: Remove useless override_dh_installinit target and rename
d/dropbear.dropbear.init to d/dropbear.init.
* d/dropbear.init: Put PID file in /run not /var/run.
* d/dropbear.init: Minor refactoring.
* d/dropbear.postinst: Replace deprecated which(1) calls with `command -v`.
* d/dropbear.postinst: Also convert OpenSSH keys in new format since
dropbearconvert(1) can now convert those.
* Remove d/README.Debian.diet from 'dropbear-bin' documentation.
* Install README.Debian in 'dropbear' package not 'dropbear-bin'.
* Minor d/dropbear.README.Debian improvement.
* d/control: Improve package description.
* Add systemd.service(5) file.
* /etc/default/dropbear: Breaking changes to accommodate the
systemd.service(5) logic:
+ Drop support for NO_START=1 (one needs to manually disable the service
or remove the package instead); and
+ Drop support for DROPBEAR_*KEY and DROPBEAR_BANNER (one needs to use
DROPBEAR_EXTRA_ARGS with the adequate dropbear(8) instead instead).
* Handle /etc/default/dropbear as a conffile instead of letting postinst
create it.
-- Guilhem Moulin <guilhem@debian.org> Sat, 02 Apr 2022 15:51:17 +0200
dropbear (2020.81-5) unstable; urgency=medium
* d/t/remote-unlocking: Replace QEMU's deprecated short-form boolean options.
* d/t/remote-unlocking: Set cache=unsafe on the target drive.
* d/t/remote-unlocking: Use apt-get indextargets's Repo-URI not its URI.
* d/t/remote-unlocking: Ensure the current version of the package is
available.
* d/t/remote-unlocking: Replace linux-image-amd64 with linux-image-generic.
* d/t/remote-unlocking: Set 'size=256' in crypttab(5).
* d/t/remote-unlocking: Fix APT Repo-URI scheme.
* d/rules: Replace manual call to dh_link with a new d/dropbear.links file.
* d/copyright: Set field Upstream-Name.
* Refresh lintian overrides to accommodate lintian v2.114.
-- Guilhem Moulin <guilhem@debian.org> Wed, 08 Dec 2021 12:37:31 +0100
dropbear (2020.81-4) unstable; urgency=low
* d/control: Remove <pape> from Uploaders. Thanks to gerrit for their work
on the dropbear package! (Closes: #907082)
* d/control: dropbear: Demote 'dropbear-initramfs' to Suggests.
(Closes: #962132)
* d/control: Bump Standards-Version to 4.6.0 (no changes necessary).
* initramfs boot script: Don't exit when IP={none,off}. (Closes: #958526)
* Rename /etc/dropbear-initramfs to /etc/dropbear/initramfs, and
/etc/dropbear-initramfs/config to /etc/dropbear/initramfs/dropbear.conf.
* d/t/on-lvm-and-luks: Near-complete rewrite:
- Adjust partition sizes to account for the current needs of the distro.
- Set 'Architecture: amd64' to properly skip the test on other
architectures.
- Run mmdebstrap(1) with --mode=auto instead of --mode=root. This uses
--mode=unshare when kernel.unprivileged_userns_clone is set to 1,
otherwise --mode=fakeroot (#944929 is now fixed)
- Consolidate style.
- Ensure we're testing the current dropbear-initramfs version.
- Use KVM acceleration when possible. Also, try to create /dev/kvm if
missing (for instance in a chroot where /dev is not managed by udev).
- Raise timeout values so the test has a chance to complete when KVM is
not supported/used.
- Adjust copyright.
- Replace 'Depends: libguestfs-tools, sleepenh, time' with 'Depends:
cryptsetup-initramfs, fdisk, initramfs-tools-core, lvm2'. Instead of
using guestfish(1) to set up a first system which is in turn used to set
up the target system, we build a custom initramfs image containing the
required dependencies, boot into it and entirely set up the target
system from there.
- Unconditionally dump (in real time) the guest's serial console into the
standard output. Before it was only done upon error.
- Use a random key file instead of a hardcoded/pre-chosen passphrase.
- Restrict the guest's ability to reach external hosts.
- Assign static addresses under 10.0.2.128/25 instead of using DHCP. That
way we don't have to include 'isc-dhcp-client' in the debootstrap chroot.
- Use dropbear instead of OpenSSH in the main system as well, not just in
the initramfs. After all we're testing dropbear here :-)
- Instead of having the root and swap (resume) devices each in its own LV
held by a LUKS device, we put the root FS directly on the root device,
and add a new plain dm-crypt partition for a transient swap device.
This removes 'Depends: lvm2'. Consequently, the test is renamed to
'remote-unlocking'.
-- Guilhem Moulin <guilhem@debian.org> Thu, 19 Aug 2021 13:08:39 +0200
dropbear (2020.81-3) unstable; urgency=medium
* Initramfs: Use 10 placeholders in ~root template.
* Initramfs: Explicitly pass --tmpdir flag to mktemp(1).
* Initramfs hook: Better guard against unsafe $DESTDIR.
* Postinst: Show hostkey filename in showpubkey().
* Postinst: No longer generate DSS (DSA) host keys.
-- Guilhem Moulin <guilhem@debian.org> Thu, 14 Jan 2021 21:14:26 +0100
dropbear (2020.81-2) unstable; urgency=medium
* Initramfs hook: Use ldconfig to find the path of the dlopen()'ed sonames
to copy over.
* Rename Debian branch to debian/latest for DEP-14 compliance.
* Remove compression=bzip2 from d/gbp.conf.
* Initramfs init-bottom script: Make wait_for_dropbear() 60s timeout
configurable with new option $DROPBEAR_SHUTDOWN_TIMEOUT. (Closes:
#964187)
* Update watch file format version to 4.
* Bump Standards-Version to 4.5.1 (no changes necessary).
* d/patches/local-options.patch: Mark "Forwarded: not-needed".
* d/debian/dropbear.postinst: Use dropbearconvert(1) from $PATH not from
deprecated /usr/lib/dropbear.
* dropbear-bin: Override "breakout-link usr/lib/dropbear/dropbearconvert ->
usr/bin/dropbearconvert" lintian warning. This is a compatibility symlink
since 2020.79-1.
-- Guilhem Moulin <guilhem@debian.org> Fri, 01 Jan 2021 20:41:58 +0100
dropbear (2020.81-1) unstable; urgency=medium
* New upstream bugfix release.
-- Guilhem Moulin <guilhem@debian.org> Thu, 29 Oct 2020 23:16:17 +0100
dropbear (2020.80-1) unstable; urgency=medium
* New upstream bugfix release.
* debian/patches/authorized_keys-options-parsing.patch: Remove patch, now
applied upstream.
* debian/tests/on-lvm-and-luks: Replace dpkg-architecture(1) call with
`dpkg --print-architecture`. The CI runners aren't build machines.
-- Guilhem Moulin <guilhem@debian.org> Fri, 26 Jun 2020 17:38:44 +0200
dropbear (2020.79-2) unstable; urgency=medium
* debian/tests/on-lvm-and-luks: skip test on non-amd64 hosts.
* Remove build dependency on dh-exec(1).
* debian/control: Bump debhelper compatibility level to 13.
* debian/service/run: (runit script) to drop deprecated option '-d' and add
support for ECDSA and ED25519 host keys.
-- Guilhem Moulin <guilhem@debian.org> Tue, 16 Jun 2020 16:09:57 +0200
dropbear (2020.79-1) unstable; urgency=low
[ Guilhem Moulin ]
* New upstream release. Highlights and potentially breaking changes include
+ Add ed25519 host and client keys support.
+ Add ChaCha20/Poly1305 authenticated cipher support.
+ X11 forwarding is disabled at compile time.
+ AES-CBC and 3DES ciphers are disabled at compile time.
+ Use getrandom() call for entropy collection.
* debian/README.initramfs: fix path to cryptsetup's README.Debian.gz.
(Closes: #934146)
* debian/initramfs/dropbear-hook: Don't mention cryptroot in warning
messages, only SSH login.
* debian/initramfs/bottom-dropbear: Wait for drobear to start before
bringing the network down. This avoids a race where the network stack were
fully not configured yet by the time the execution is handed over to the
main system. (Closes: #943459)
* debian/dropbear.postinst: Remove comparison with ancient version 0.50-4
(released in 2008).
* debian/control: dropbear: Add Pre-Depends: ${misc:Pre-Depends}.
* debian/control: Bump Standards-Version to 4.5.0 (no changes necessary).
* debian/control: Set 'Rules-Requires-Root: no'.
* debian/control: Remove duplicate Depends: lsb-base.
* debian/control: Bump minimum version for libtomcrypt and libtommath.
* Install dropbearconvert(1) to /usr/bin, and add a compatibility symlink
in its previous location /usr/lib/dropbear.
[Johannes 'josch' Schauer]
* Add autopkgtest to test dropbear-initramfs. (Closes: #934753)
* Enable Salsa CI tests.
[ Debian Janitor ]
* Trim trailing whitespace.
* Add missing dependency on lsb-base.
* Bump debhelper from old 9 to 12.
* Drop unnecessary dependency on dh-autoconf.
* Rely on pre-initialized dpkg-architecture variables.
* Fix day-of-week for changelog entries 0.32cvs-1, 0.32cvs-1.
* Wrap long lines in changelog entries: 2014.64-1.
-- Guilhem Moulin <guilhem@debian.org> Tue, 16 Jun 2020 02:50:00 +0200
dropbear (2019.78-2) unstable; urgency=medium
* Improve upgrade path via Recommends and NEWS entry.
* d/control:
+ Change dropbear's Recommends to 'cryptsetup-initramfs' from
'cryptsetup'. That's the package shipping cryptsetup's initramfs
integration.
+ Bump Standards-Version to 4.4.0 (no changes necessary).
-- Guilhem Moulin <guilhem@debian.org> Sat, 27 Jul 2019 18:20:59 -0300
dropbear (2019.78-1) unstable; urgency=medium
* New upstream release.
* Rename 'dropbear-run' to 'dropbear'. 'dropbear-run' is now a transitional
dummy package depending on 'dropbear'. This complete the package split
started with 2015.68-1.
* dropbear-initramfs: Remove backward compatibility checks and warnings that
were added for the upgrade path from Jessie to Stretch. (Closes: #926875)
-- Guilhem Moulin <guilhem@debian.org> Mon, 08 Jul 2019 17:06:07 +0200
# Older entries have been removed from this changelog.
# To read the complete changelog use `apt changelog dropbear-initramfs`.
Generated by dwww version 1.15 on Fri Aug 29 04:48:47 CEST 2025.