Our Dropbear package bundles the libraries libtommath and libtomcrypt , and their bundled changelogs imply that they date from 2006.
The Dropbear CHANGES  file shows that some attempt has been made to cherry-pick some bug fixes. It also looks like Dropbear has made their own changes to the bundled libraries. Apparently it is possible to build against non-bundled libraries . Both libraries have had new releases in the last ten years . It appears that Debian does use the bundled libraries . In July, I asked Matt Johnston, the Dropbear author, how far the bundled copies had diverged from upstream and if it was safe to unbundle them, but I didn't get a response.  https://github.com/libtom https://github.com/mkj/dropbear/tree/master/libtomcrypt https://github.com/mkj/dropbear/tree/master/libtommath  https://github.com/mkj/dropbear/blob/master/CHANGES#L481  https://github.com/mkj/dropbear/blob/master/CHANGES#L532 "- Attempt to build against system libtomcrypt/libtommath if available. This can be disabled with ./configure --enable-bundled-libtom"  https://github.com/libtom/libtomcrypt/releases https://github.com/libtom/libtommath/releases  https://packages.debian.org/sid/dropbear
Description: PGP signature