Sorry, permissions should be fixed now. Matt
On 7 May 2025 9:34:55 pm AWST, Sebastian Gottschall <[email protected]> wrote: > > Forbidden > >You don't have permission to access this resource. > > >Am 07.05.2025 um 14:29 schrieb Matt Johnston: >> Hi all, >> >> Dropbear 2025.88 is released. It has a few regression fixes >> from 2025.87, and a security fix applicable to users of >> dbclient where the hostname argument might be set from >> untrusted input. >> >> https://matt.ucc.asn.au/dropbear/ >> https://dropbear.nl/mirror/ >> >> Cheers, >> Matt >> >> 2025.88 - 7 May 2025 >> >> - Security: Don't allow dbclient hostname arguments to be interpreted >> by the shell. >> >> dbclient hostname arguments with a comma (for multihop) would be >> passed to the shell which could result in running arbitrary shell >> commands locally. That could be a security issue in situations >> where dbclient is passed untrusted hostname arguments. >> >> Now the multihop command is executed directly, no shell is >involved. >> Thanks to Marcin Nowak for the report, tracked as CVE-2025-47203 >> >> - Fix compatibility for htole64 and htole32, regression in 2025.87 >> Patch from Peter Fichtner to work with old GCC versions, and >> patch from Matt Robinson to check different header files. >> >> - Fix building on older compilers or libc that don't support >> static_assert(). Regression in 2025.87 >> >> - Support ~R in the client to force a key re-exchange. >> >> - Improve strict KEX handling. Dropbear previously would allow other >> packets at the end of key exchange prior to receiving the remote >> peer's NEWKEYS message, which should be forbidden by strict KEX. >> Reported by Fabian Bäumer. >>
