6ad8220f49
(CVE-2016-7406) and a problem importing malicious OpenSSH keys (CVE-2016-7407) both of which could result in arbitrary code running as root in some conditions (though the worst one requires usernames including '%' which is uncommon with OpenBSD as adduser and useradd reject this, however it is possible by editing the password file directly). See https://matt.ucc.asn.au/dropbear/CHANGES for more details.