According to the RedHat summary [1]: The server in Dropbear before 2017.75 might allow post-authentication root remote code execution because of a double free in cleanup of TCP listeners when the -a option is enabled. Upstream ref [2] Patch [3] -- [1] https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-9078 [2] http://lists.ucc.gu.uwa.edu.au/pipermail/dropbear/2017q2/001985.html [3] https://secure.ucc.asn.au/hg/dropbear/rev/c8114a48837c
*** This bug has been marked as a duplicate of bug 619002 ***