| Package | dropbear |
|---|---|
| Version | 2018.76-5+deb10u3 (buster) |
| Related CVEs | CVE-2025-47203 |
Marcin Nowak discovered that dbclient(1) hostname arguments with a comma (for multihop) are passed to the shell which could result in running arbitrary shell commands locally. Such behavior could have security implications in situations where dbclient(1) is passed untrusted hostname arguments.
The multihop command is now executed directly (no shell is involved).
For Debian 10 buster, these problems have been fixed in version 2018.76-5+deb10u3.
We recommend that you upgrade your dropbear packages.
Further information about Extended LTS security advisories can be found in the dedicated section of our website.