See upstream changelog: "Validate X11 forwarding input. Could allow bypass of authorized_keys command= restrictions, found by github.com/tintinweb. Thanks for Damien Miller for a patch." Same bug is also in openssh, see #576954. dropbear-2016.72 is already in the tree, needs stabilization.
2016.73 is in tree so calling for stabilization of that package. @arches, please stabilize the following: =net-misc/dropbear-2016.73
Stable on alpha.
amd64 stable
arm stable
done arm64/hppa/ia64/m68k/ppc/ppc64/s390/sh/sparc/x86 now (all the rest)
New GLSA request filed. @maintainer(s), please cleanup the vulnerable versions.
CVE-2016-3116 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-3116): CRLF injection vulnerability in Dropbear SSH before 2016.72 allows remote authenticated users to bypass intended shell-command restrictions via crafted X11 forwarding data.
This issue was resolved and addressed in GLSA 201607-08 at https://security.gentoo.org/glsa/201607-08 by GLSA coordinator Aaron Bauman (b-man).