CVE-2025-47203 was announced here: https://www.openwall.com/lists/oss-security/2025/05/09/4 Upstream fix: https://github.com/mkj/dropbear/commit/e5a0ef27c227f7ae69d9a9fec98a056494409b9b
Whiteboard: (none) => MGA9TOOSource RPM: (none) => dropbear-2025.87-1.mga10.src.rpm, dropbear-2022.83-2.1.mga9.src.rpmCVE: (none) => CVE-2025-47203Status comment: (none) => Fixed upstream in 2025.88 and patch available from upstream
Assigning to danf; you currently maintain this pkg.
Assignee: bugsquad => dan
dropbear-2025.88-1.mga10 fixes this in Cauldron.
Status: NEW => ASSIGNED
Here is a regression test procedure to verify that proxy-cmd and multihop functionality still works. First, run "sudo urpmi netcat-openbsd" to install nc. Then, run each of these two commands: dbclient -J 'nc git.mageia.org 22' git@git.mageia.org dbclient localhost,git@git.mageia.org When run by a packager on a machine with a locally-accessible ssh server installed on localhost, each of these commands should show a couple of screenfuls of git repository names (likely with bad line endings) but no error messages.
Here's another command-line that seems to tickle this vulnerability more directly: dbclient 'localhost,localhost:22 999;' whoami This hangs on the vulnerable version and returns the error "dbclient: Exited: Failed to run 'dbclient'" on the fixed version. Note that the vulnerability appears to be in the client only so it should be able to just as easily be tested against an OpenSSH server. dropbear-2022.83-2.2.mga9 is now available in updates_testing. Here's a suggested advisory: Advisory ======== dbclient in Dropbear SSH before 2025.88 allows command injection via an untrusted hostname argument, because a shell is used. RPMs: dropbear-2022.83-2.2.mga9 SRPM: dropbear-2022.83-2.2.mga9.src.rpm Link: https://lists.ucc.gu.uwa.edu.au/pipermail/dropbear/2025q2/002385.html
Whiteboard: MGA9TOO => MGA9TOO, has_procedureAssignee: dan => qa-bugsCC: (none) => dan
MGA9-64 Plasma Wayland on Compaq H000SB. No installation issues. Ref bug 31119 for testing. # systemctl stop sshd.service # systemctl start dropbear.service # systemctl -l status dropbear.service ● dropbear.service - Dropbear SSH Server Daemon Loaded: loaded (/usr/lib/systemd/system/dropbear.service; disabled; preset: disabled) Active: active (running) since Wed 2025-05-14 09:54:48 CEST; 15s ago Process: 11551 ExecStart=/usr/sbin/dropbear $OPTIONS (code=exited, status=0/SUCCESS) Main PID: 11555 (dropbear) Tasks: 1 (limit: 8806) Memory: 308.0K CPU: 9ms CGroup: /system.slice/dropbear.service └─11555 /usr/sbin/dropbear May 14 09:54:48 mach3.hviaene.thuis systemd[1]: Starting dropbear.service... May 14 09:54:48 mach3.hviaene.thuis dropbear[11551]: Failed loading /etc/dropbear/dropbear_ed25519_host_key May 14 09:54:48 mach3.hviaene.thuis dropbear[11555]: Running in background May 14 09:54:48 mach3.hviaene.thuis systemd[1]: Started dropbear.service. Then as normal user: $ dbclient -o DisableTrivialAuth=yes localhost echo OK Host 'localhost' is not in the trusted hosts file. (ecdsa-sha2-nistp256 fingerprint SHA256:xm4I2A07V4saMHeOq+H2DMpDMDzCpE0631xswM4jWM0) Do you want to continue connecting? (y/n) y tester9@localhost's password: OK So go.
Whiteboard: MGA9TOO, has_procedure => MGA9TOO, has_procedure, MGA9-64-OKCC: (none) => herman.viaene
RH x86_64 dbclient 'localhost,localhost:22 999;' whoami dbclient: Connection to katnatek@999:22 exited: Connect failed: Connection timed out dbclient: Connection to katnatek@localhost:22 999;:22 exited: Remote closed the connection nnection to katnatek@localhost:22 999;:22 exited: Remote closed the connection installing dropbear-2022.83-2.2.mga9.x86_64.rpm from //home/katnatek/qa-testing/x86_64 Preparing... ################################################################################################## 1/1: dropbear ################################################################################################## 1/1: removing dropbear-2022.83-2.1.mga9.x86_64 ################################################################################################## dbclient 'localhost,localhost:22 999;' whoami dbclient: Exited: Failed to run 'dbclient' dbclient: Connection to katnatek@localhost:22 999;:22 exited: Error writing: Broken pipe Looks consistent with test suggested in comment#4
Whiteboard: MGA9TOO, has_procedure, MGA9-64-OK => MGA9TOO, MGA9-64-OKKeywords: (none) => has_procedureCC: (none) => andrewsfarm
Keywords: (none) => advisory
(In reply to Dan Fandrich from comment #2) > dropbear-2025.88-1.mga10 fixes this in Cauldron. Then I'm converting this into a MGA9 bug, and validating.
Whiteboard: MGA9TOO, MGA9-64-OK => MGA9-64-OKVersion: Cauldron => 9Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2025-0158.html
Resolution: (none) => FIXEDStatus: ASSIGNED => RESOLVED