Security fixes:
- Message printout was vulnerable to format string injection
- dropbearconvert import of OpenSSH keys could run arbitrary code
as the local dropbearconvert user when parsing malicious key
files
- dbclient could run arbitrary code as the local dbclient user if
particular -m or -c arguments are provided
- dbclient or dropbear server could expose process memory to the
running user if compiled with DEBUG_TRACE and running with -v
Fixes:
- Fix port forwarding failure when connecting to domains that have
both IPv4 and IPv6 addresses. The bug was introduced in 2015.68
- Fix 100% CPU use while waiting for rekey to complete
Known changes:
- Fix crash when forwarded TCP connections fail to connect
(bug introduced in 2015.68)
- Avoid hang on session close when multiple sessions are started,
affects Qt Creator
- Reduce per-channel memory consumption in common case, increase default
channel limit from 100 to 1000 which should improve SOCKS forwarding
for modern webpages
- Handle multiple command line arguments in a single flag
- Manpage improvements
- Build fixes for Android
- Don't display the MOTD when an explicit command is run
- Check curve25519 shared secret isn't zero
I made it statically build by default
I had to fix the zlib static cross-build, because the native stripping corrupted the target
static library. It is not the first time I see this.
I add drobear to the cross-built packages for hydra.
svn path=/nixpkgs/trunk/; revision=20518