V8.13.400.2025.11.08

Signed-off-by: Marc S. Weidner <msw@coresecret.dev>

upgrades/dropbear/SHA512SUM.asc

@@ -0,0 +1,24 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+eb16a13aa44732cab4db009bd55903e45f8756598683377bfe55185fbf0e3265  CHANGES
+738b7f358547f0c64c3e1a56bbc5ef98d34d9ec6adf9ccdf01dc0bf2caa2bc8d  dropbear-2025.87.tar.bz2
+af24198895f604c2e114abe29a2f0c3fe30831e6db26e0f93fd5f78e734b61be  dropbear-2025.87.tar.bz2.asc
+783f50ea27b17c16da89578fafdb6decfa44bb8f6590e5698a4e4d3672dc53d4  dropbear-2025.88.tar.bz2
+fe40fd8f40a7c5498025cc2058eaecbcd9e649a833d6cdecdab35f1156f4d411  dropbear-2025.88.tar.bz2.asc
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAEBCgAdFiEE9zR+8u4uB6JnYoypRJMUlPKcZ3MFAmgbUOIACgkQRJMUlPKc
+Z3OS6w//bPQkIfs5ErkEBNRJDkYCDGekydYur0e2KtA2FX+vgPYI289FM4tXaD5f
+hlBBT5oBQ740ekTLWMMnKcJV3Ut0QYnaXwiH2dHKtT4OEgRQIYqFlbAimpNPMZOL
+IiBv+v9g71XJ3MrFyJSUo00mryIIIeuVQEWl8zxzsG8sf5usOUDwiJNWPul3fOJL
+Ur+vTmCr7XYuq9kFG4YdJNLPLwDZ68e2u1fEpxpsnBmYFx5VS/WvD+qyuUfkR81h
+HmcDgQJUJgx6Taq0OQJa4KnE4+HWjMd6V6JsDTsfYp4CjASO6HP2bON4zJWyphqL
+cyrHAxiADtfU3RO59+XQ6AhTzhtGpZRgHLqetv40DjGN2lOGOdRk3TbE3/dbDl4W
+f9zaPFGXyTA49iiVMMz2GVWlydpjs9HKsIKwwO7vU/EIi4S/USNJRI9wKUji3qKH
+HO09YNoO0XuWzIpeGwfqbeaQ+SCPRPAMQMM0a2Mt10VzympY6w2kHAVbMV48kJ2i
+AMtkgsxLUFdptDSdGKc/KHkbWRR22YCSSUXr1lxCA3fuCUWkS/2pAGzfbd+sd9BS
+QkAiGVCWeFQML61aaoNxMT2+MbS80zrOWm8fjXblg3wCU6F3+TTmmDUNKI3NFi8z
+4TVeAM0oGqeI+PX4hP7pyBy06dGiWiYEAGMiyno6vRXWJrwTVzI=
+=/DnI
+-----END PGP SIGNATURE-----

upgrades/dropbear/dropbear-2025.88.tar.bz2.asc

@@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAABCAAdFiEE9zR+8u4uB6JnYoypRJMUlPKcZ3MFAmgbTlUACgkQRJMUlPKc
+Z3PY2xAAkSmMipofQkVDE8owIY1VrXGICpFFby7oIzog1oiWrTWlqjGPBwxrLEAa
+W5qXPez0mu9CMs0eGgqHnpUCOR2OJKXzlllSwWcO2Q9Ioi+fSYB//A/+FRK5Jyvf
+P3H6Iq4N4vCbOGS0zHwmlAhTMh1ezKuqnjCrP9z6gvOj6hiiI0DtX2YtYfXml4o8
+Xgvv+w3uReC/Pf7Z7Zia18tWlLIC1DoVC18CmLmnnyqE032Cn8HsE/scboTehgJd
+SKfpztf8/9IjAJpkoeuh3VEXeq5gUjdaW13cBvaPBg798+GsnY7ot7g2PLgnpc7w
+Y1Npg2QZebKE2KHSEGhvIfHeGC6uSEekQnNbck6/ge8ytRzvfzxtTFCMWlGVdgd4
+dFLNajFRt1VOYXMgm7w725cndXYjpvi7zNgGI/kuOQG92hGR8ZaQYYHUTI+B9sr1
+Fit8VmaOsLN7ES8UcNlWeRPHAlvkhdfjltcCSVBziJWGW5rYsuT03X/gbjSiflA5
+kwB/5A2Bf5DHtORbdtx9kfd5yqsnWaLczEKRjyikJqDUXW6CcclbEiucWIgR75cS
+Ee9cf8ILKn/Dr6z+h60y0VQ+1gUcVDnK9yxoqywS5/QoUFXltzu032ZmhyDdgfex
+93NbacgaVtges8t0S0s7PgfzpUSLgNte6aHOYwl5mDAh0zLGpoo=
+=uS3y
+-----END PGP SIGNATURE-----

upgrades/dropbear/localoptions.h

@@ -0,0 +1,114 @@
+/* # SPDX-Version: 3.0 */
+/* # SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev> */
+/* # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git */
+/* # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency */
+/* # SPDX-FileCopyrightText: 2024-2025; ZIMNOL, Andre H.; <git.cs@physnet.eu> */
+/* # SPDX-FileType: SOURCE */
+/* # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0 */
+/* # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework. */
+/* # SPDX-PackageName: CISS.debian.installer */
+/* # SPDX-Security-Contact: security@coresecret.eu */
+
+#ifndef DROPBEAR_LOCALOPTIONS_H_
+#define DROPBEAR_LOCALOPTIONS_H_
+
+/* Override default port */
+#define DROPBEAR_DEFPORT "42137"
+
+/* disable DH-group14 to remove 2048-bit moduli */
+#undef DROPBEAR_DH_GROUP14_SHA256
+#define DROPBEAR_DH_GROUP14_SHA256 0
+
+/* Disable small code optimization */
+#undef DROPBEAR_SMALL_CODE
+#define DROPBEAR_SMALL_CODE 0
+
+/* Cipher changes */
+#undef DROPBEAR_AES128
+#define DROPBEAR_AES128 0
+
+/* replace default MAC-Liste: nur encrypt-teh-MAC Varianten */
+#undef DROPBEAR_MAC_ALGS
+#define DROPBEAR_MAC_ALGS \
+    "hmac-sha2-256-etm@openssh.com", \
+    "hmac-sha2-512-etm@openssh.com"
+
+/* replace default KEX-Liste: nur Curve25519, DH-group16 und die PQ-Hybriden */
+#undef DROPBEAR_KEX_ALGS
+#define DROPBEAR_KEX_ALGS \
+    "curve25519-sha256", \
+    "diffie-hellman-group16-sha512", \
+    "sntrup761x25519-sha512", \
+    "mlkem768x25519-sha256"
+
+/* Message of the day disabled */
+#undef DO_MOTD
+#define DO_MOTD 0
+
+/* Disable password auth (server and client) */
+#undef DROPBEAR_SVR_PASSWORD_AUTH
+#define DROPBEAR_SVR_PASSWORD_AUTH 0
+#undef DROPBEAR_CLI_PASSWORD_AUTH
+#define DROPBEAR_CLI_PASSWORD_AUTH 0
+
+/* Adjust unauthenticated client and auth try limits */
+#undef MAX_UNAUTH_CLIENTS
+#define MAX_UNAUTH_CLIENTS 10
+#undef MAX_AUTH_TRIES
+#define MAX_AUTH_TRIES 6
+
+/* Disable built-in SFTP server */
+#undef DROPBEAR_SFTPSERVER
+#define DROPBEAR_SFTPSERVER 0
+
+/* Disable NIST ECDSA host keys */
+#undef DROPBEAR_ECDSA
+#define DROPBEAR_ECDSA 0
+
+/* Disable NIST ECDH key exchange */
+#undef DROPBEAR_ECDH
+#define DROPBEAR_ECDH 0
+
+/* Enforce AEAD ciphers only: disable CTR, enable GCM */
+#undef DROPBEAR_ENABLE_CTR_MODE
+#define DROPBEAR_ENABLE_CTR_MODE 0
+#undef DROPBEAR_ENABLE_GCM_MODE
+#define DROPBEAR_ENABLE_GCM_MODE 1
+
+/* Prevent fallback to encrypt-and-MAC algorithms */
+#undef DROPBEAR_USER_ALGO_LIST
+#define DROPBEAR_USER_ALGO_LIST 1
+
+/* Disable client proxy commands to prevent arbitrary command execution */
+#undef DROPBEAR_CLI_PROXYCMD
+#define DROPBEAR_CLI_PROXYCMD 0
+
+/* Disable netcat mode to avoid forwarding misuse */
+#undef DROPBEAR_CLI_NETCAT
+#define DROPBEAR_CLI_NETCAT 0
+
+/* Disable agent forwarding to avoid credential relay */
+#undef DROPBEAR_SVR_AGENTFWD
+#define DROPBEAR_SVR_AGENTFWD 0
+#undef DROPBEAR_CLI_AGENTFWD
+#define DROPBEAR_CLI_AGENTFWD 0
+
+/* Disable TCP forwarding if not required */
+#undef DROPBEAR_SVR_REMOTETCPFWD
+#define DROPBEAR_SVR_REMOTETCPFWD 0
+#undef DROPBEAR_SVR_LOCALSTREAMFWD
+#define DROPBEAR_SVR_LOCALSTREAMFWD 0
+#undef DROPBEAR_CLI_LOCALTCPFWD
+#define DROPBEAR_CLI_LOCALTCPFWD 0
+#undef DROPBEAR_CLI_REMOTETCPFWD
+#define DROPBEAR_CLI_REMOTETCPFWD 0
+
+/* Enforce sensible defaults for keepalives and idle timeouts */
+#undef DEFAULT_KEEPALIVE
+#define DEFAULT_KEEPALIVE 60
+#undef DEFAULT_IDLE_TIMEOUT
+#define DEFAULT_IDLE_TIMEOUT 300
+
+#endif /* DROPBEAR_LOCALOPTIONS_H_ */
+
+/* vim: set filetype=c ts=2 sw=2 sts=2 et ai tw=100 */