Bug 2427282 - CVE-2025-14282 dropbear: privilege escalation via unix domain socket forwardings [epel-8]
Summary: CVE-2025-14282 dropbear: privilege escalation via unix domain socket forwardi...
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Fedora EPEL
Classification: Fedora
Component: dropbear
Version: epel8
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: ---
Assignee: fedepell
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: {"flaws": ["7498568c-635e-4f69-adbb-5...
Depends On:
Blocks: CVE-2025-14282
TreeView+ depends on / blocked
 
Reported: 2026-01-06 02:41 UTC by Patrick Del Bello
Modified: 2026-01-06 04:13 UTC (History)
4 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2026-01-06 04:13:24 UTC
Type: ---
Embargoed:

Attachments (Terms of Use)

Description Patrick Del Bello 2026-01-06 02:41:37 UTC 
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.

The following link provides references to all essential vulnerability management information. If something is wrong or missing, please contact a member of PSIRT.
https://spaces.redhat.com/display/PRODSEC/Vulnerability+Management+-+Essential+Documents+for+Engineering+Teams
Comment 1 fedepell 2026-01-06 04:13:24 UTC 
According to upstream:

- Security: Avoid privilege escalation via unix stream forwarding in Dropbear
  server. Other programs on a system may authenticate unix sockets via
  SO_PEERCRED, which would be root user for Dropbear forwarded connections,
  allowing root privilege escalation.
  Reported by Turistu, and thanks for advice on the fix.
  This is tracked as CVE-2025-14282, and affects 2024.84 to 2025.88.

So this should not affect EPEL8 (and EPEL9) current versions.
Note You need to log in before you can comment on or make changes to this bug.