https://lists.ucc.gu.uwa.edu.au/pipermail/dropbear/2025q2/002385.html
announces the release of Dropbear SSH 2025.88 including this fix:
- Security: Don't allow dbclient hostname arguments to be interpreted
by the shell.
dbclient hostname arguments with a comma (for multihop) would be
passed to the shell which could result in running arbitrary shell
commands locally. That could be a security issue in situations
where dbclient is passed untrusted hostname arguments.
Now the multihop command is executed directly, no shell is involved.
Thanks to Marcin Nowak for the report, tracked as CVE-2025-47203
--
-Alan Coopersmith- [email protected]
Oracle Solaris Engineering - https://blogs.oracle.com/solaris
