See upstream changelog:
"Validate X11 forwarding input. Could allow bypass of authorized_keys command= restrictions, found by github.com/tintinweb. Thanks for Damien Miller for a patch."
Same bug is also in openssh, see #576954.
dropbear-2016.72 is already in the tree, needs stabilization.
2016.73 is in tree so calling for stabilization of that package.
@arches, please stabilize the following:
Stable on alpha.
done arm64/hppa/ia64/m68k/ppc/ppc64/s390/sh/sparc/x86 now (all the rest)
New GLSA request filed.
@maintainer(s), please cleanup the vulnerable versions.
CRLF injection vulnerability in Dropbear SSH before 2016.72 allows remote
authenticated users to bypass intended shell-command restrictions via
crafted X11 forwarding data.
This issue was resolved and addressed in
GLSA 201607-08 at https://security.gentoo.org/glsa/201607-08
by GLSA coordinator Aaron Bauman (b-man).