Our Dropbear package bundles the libraries libtommath and libtomcrypt
[0], and their bundled changelogs imply that they date from 2006.

The Dropbear CHANGES [1] file shows that some attempt has been made to
cherry-pick some bug fixes. It also looks like Dropbear has made their
own changes to the bundled libraries.

Apparently it is possible to build against non-bundled libraries [2].
Both libraries have had new releases in the last ten years [3].

It appears that Debian does use the bundled libraries [4].

In July, I asked Matt Johnston, the Dropbear author, how far the bundled
copies had diverged from upstream and if it was safe to unbundle them,
but I didn't get a response.

[0]
https://github.com/libtom
https://github.com/mkj/dropbear/tree/master/libtomcrypt
https://github.com/mkj/dropbear/tree/master/libtommath

[1]
https://github.com/mkj/dropbear/blob/master/CHANGES#L481

[2]
https://github.com/mkj/dropbear/blob/master/CHANGES#L532
"- Attempt to build against system libtomcrypt/libtommath if available.
This can be disabled with ./configure --enable-bundled-libtom"

[3]
https://github.com/libtom/libtomcrypt/releases
https://github.com/libtom/libtommath/releases

[4]
https://packages.debian.org/sid/dropbear