Unsupported Dropbear Version

DOWNLOAD THE LATEST FIRMWARE HERE
peter.fowler
Member
 
Posts: 13
Joined: Thu Sep 03, 2020 6:22 pm
Has thanked: 0 time
Been thanked: 1 time

Unsupported Dropbear Version

Sun Mar 28, 2021 9:45 pm

Hi,

We are are using multiple WS-26-400-IDC switches (firmware version 1.5.6) to monitor some PoE cameras at some of our special buildings and we are getting notified by our vulnerability management software (Tenable) that our version of Dropbear SSL Server is no longer supported and is at risk of multiple vulnerabilities with a VPR rating of 6.7/10 (we are running version 0.53 and the supported version is 2016.74). Is there going to be a firmware update that will fix these vulnerabilities in the future?

User avatar
Stephen
Employee
Employee
 
Posts: 1033
Joined: Sun Dec 24, 2017 8:56 pm
Has thanked: 85 times
Been thanked: 181 times

Re: Unsupported Dropbear Version

Mon Mar 29, 2021 1:00 pm

This is being explored presently.

User avatar
Stephen
Employee
Employee
 
Posts: 1033
Joined: Sun Dec 24, 2017 8:56 pm
Has thanked: 85 times
Been thanked: 181 times

Re: Unsupported Dropbear Version

Mon Apr 12, 2021 10:55 pm

For anyone interested, we have now upgraded to Dropbear 2020.81 on v.1.5.9rcX, and you can download it here

peter.fowler
Member
 
Posts: 13
Joined: Thu Sep 03, 2020 6:22 pm
Has thanked: 0 time
Been thanked: 1 time

Re: Unsupported Dropbear Version

Mon Aug 09, 2021 11:40 pm

Hi Stephen, thanks for the update regarding 1.5.9 RC1 but is there a specific timeframe for when this version will go into the stable channel as I am hesitant to upgrade our switches to an RC build? Also is the RC build the preferred option though for future updates?

User avatar
Stephen
Employee
Employee
 
Posts: 1033
Joined: Sun Dec 24, 2017 8:56 pm
Has thanked: 85 times
Been thanked: 181 times

Re: Unsupported Dropbear Version

Tue Aug 17, 2021 11:20 am

Hello peter.fowler it will eventually be integrated into a 1.5.9 release, if you wish to wait to update until then that is OK but as a rule typically RC release's from us are fine in production unless otherwise specified in the release notes.

peter.fowler
Member
 
Posts: 13
Joined: Thu Sep 03, 2020 6:22 pm
Has thanked: 0 time
Been thanked: 1 time

Re: Unsupported Dropbear Version

Sun Jan 30, 2022 4:16 pm

Thanks for the update and sorry for not replying sooner but do you have an approximate ETA for these features as part of stabilizing 1.5.9 to production. My manager and our security manager are keen to know what the next steps will be including a roadmap for this (FYI, all our WS-26-400-IDC switches are now on the 1.5.8 production release build)

peter.fowler
Member
 
Posts: 13
Joined: Thu Sep 03, 2020 6:22 pm
Has thanked: 0 time
Been thanked: 1 time

Re: Unsupported Dropbear Version

Sun Feb 27, 2022 4:38 pm

I can confirm that updating to version 1.5.11 (which is now in production) fixes the Dropbear version vulnerability in Tenable.io (Nessus)

User avatar
sirhc
Employee
Employee
 
Posts: 7415
Joined: Tue Apr 08, 2014 3:48 pm
Location: Lancaster, PA
Has thanked: 1608 times
Been thanked: 1325 times

Re: Unsupported Dropbear Version

Sun Feb 27, 2022 5:47 pm

peter.fowler wrote:I can confirm that updating to version 1.5.11 (which is now in production) fixes the Dropbear version vulnerability in Tenable.io (Nessus)


Yes, when Eric updated openssl to a version that supported TLS 1.2 that would effect SSH / EMAIL / HTTPS as I think they all share that package.
Support is handled on the Forums not in Emails and PMs.
Before you ask a question use the Search function to see it has been answered before.
To do an Advanced Search click the magnifying glass in the Search Box.
To upload pictures click the Upload attachment link below the BLUE SUBMIT BUTTON.

Return to Hardware and software issues

Who is online

Users browsing this forum: No registered users and 77 guests