Groups | Search | Server Info | Keyboard shortcuts | Login | Register

Groups > linux.debian.changes > #13676

Accepted openssh 1:10.0p1-7+deb13u3 (source) into proposed-updates

From Debian FTP Masters <ftpmaster@ftp-master.debian.org>
Newsgroups linux.debian.changes
Subject Accepted openssh 1:10.0p1-7+deb13u3 (source) into proposed-updates
Date 2026-05-05 20:40 +0200
Message-ID <MRsQx-2PLL-9@gated-at.bofh.it> (permalink)
Organization linux.* mail to news gateway

Show all headers | View raw

[Multipart message — attachments visible in raw view] - view raw

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Tue, 05 May 2026 11:25:39 +0100
Source: openssh
Architecture: source
Version: 1:10.0p1-7+deb13u3
Distribution: trixie
Urgency: medium
Maintainer: Debian OpenSSH Maintainers <debian-ssh@lists.debian.org>
Changed-By: Colin Watson <cjwatson@debian.org>
Closes: 1130595 1132572 1132573 1132574 1132575 1132576
Changes:
 openssh (1:10.0p1-7+deb13u3) trixie; urgency=medium
 .
   * Backport minor security fixes from 10.3p1:
     - ssh(1): the -J and equivalent -oProxyJump="..." options now validate
       user and host names for ProxyJump/-J options passed via the
       command-line (no such validation is performed for this option in
       configuration files). This prevents shell injection in situations
       where these were directly exposed to adversarial input, which would
       have been a terrible idea to begin with.
     - CVE-2026-35386: ssh(1): validation of shell metacharacters in user
       names supplied on the command-line was performed too late to prevent
       some situations where they could be expanded from %-tokens in
       ssh_config. For certain configurations, such as those that use a "%u"
       token in a "Match exec" block, an attacker who can control the user
       name passed to ssh(1) could potentially execute arbitrary shell
       commands. Reported by Florian Kohnhäuser (closes: #1132573).
       We continue to recommend against directly exposing ssh(1) and other
       tools' command-lines to untrusted input. Mitigations such as this can
       not be absolute given the variety of shells and user configurations in
       use.
     - CVE-2026-35414: sshd(8): when matching an authorized_keys
       principals="" option against a list of principals in a certificate, an
       incorrect algorithm was used that could allow inappropriate matching
       in cases where a principal name in the certificate contains a comma
       character. Exploitation of the condition requires an authorized_keys
       principals="" option that lists more than one principal *and* a CA
       that will issue a certificate that encodes more than one of these
       principal names separated by a comma (typical CAs strongly constrain
       which principal names they will place in a certificate). This
       condition only applies to user- trusted CA keys in authorized_keys,
       the main certificate authentication path
       (TrustedUserCAKeys/AuthorizedPrincipalsFile) is not affected. Reported
       by Vladimir Tokarev (closes: #1132576).
     - CVE-2026-35385: scp(1): when downloading files as root in legacy (-O)
       mode and without the -p (preserve modes) flag set, scp did not clear
       setuid/setgid bits from downloaded files as one might typically
       expect. This bug dates back to the original Berkeley rcp program.
       Reported by Christos Papakonstantinou of Cantina and Spearbit (closes:
       #1132572).
     - CVE-2026-35387: sshd(8): fix incomplete application of
       PubkeyAcceptedAlgorithms and HostbasedAcceptedAlgorithms with regard
       to ECDSA keys. Previously if one of these directives contains any
       ECDSA algorithm name (say "ecdsa-sha2-nistp384"), then any other ECDSA
       algorithm would be accepted in its place regardless of whether it was
       listed or not.  Reported by Christos Papakonstantinou of Cantina and
       Spearbit (closes: #1132574).
     - CVE-2026-35388: ssh(1): connection multiplexing confirmation
       (requested using "ControlMaster ask/autoask") was not being tested for
       proxy mode multiplexing sessions (i.e. "ssh -O proxy ..."). Reported
       by Michalis Vasileiadis (closes: #1132575).
   * Cherry-pick IPQoS handling updates from upstream:
     - Set default IPQoS for interactive sessions to Expedited Forwarding
       (EF).
     - Deprecate support for IPv4 type-of-service (TOS) IPQoS keywords.
     - Make ssh(1) and sshd(8) set IP QoS (aka IP_TOS, IPV6_TCLASS)
       continually at runtime based on what sessions/channels are open.
     - Correctly set extended type for client-side channels.  Fixes
       interactive vs bulk IPQoS for client->server traffic.
 .
 openssh (1:10.0p1-7+deb13u2) trixie-security; urgency=medium
 .
   * CVE-2026-3497: Fix incorrect GSS-API error handling; Replace incorrect
     use of sshpkt_disconnect() with ssh_packet_disconnect(), and properly
     initialize some variables (closes: #1130595; thanks, Marc Deslauriers).
Checksums-Sha1:
 588570b8d24a58d165326e779ccfe04e356573e7 3609 openssh_10.0p1-7+deb13u3.dsc
 b4f91988a8c898e3339683fd5c622c7932cc5902 215064 openssh_10.0p1-7+deb13u3.debian.tar.xz
Checksums-Sha256:
 d4370c9fc63b3f4ea445fdc7288e372e089c1740f0287170387000e264fa3b38 3609 openssh_10.0p1-7+deb13u3.dsc
 b80912092af7d7ecbc8f0c784a68d86d5e54b4d6b69038ab7faa891f774db24c 215064 openssh_10.0p1-7+deb13u3.debian.tar.xz
Files:
 0b8ba8ff968b873866aa509cbdc98f3c 3609 net standard openssh_10.0p1-7+deb13u3.dsc
 26afa767738b86933b2dfff05155b438 215064 net standard openssh_10.0p1-7+deb13u3.debian.tar.xz

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEErApP8SYRtvzPAcEROTWH2X2GUAsFAmn5xdoACgkQOTWH2X2G
UAvh6g/9GjIj4m/UXC4f3ylY8+5c6U+iyptFtkyW7ijHOx3uB8hjeYNSeZEWO02e
Qo9hTkWD6SwTwy4Q3jyUqsJcz1XAm5J91tmXo2Nocwt3OSSDD/V7+yNI9rp+tzur
9Exe2K0alid5m8awLLapRM+zRMZuykDbhqeQ3/mus67Pw7XoMXoyZSHvJnggqWdp
mNYIJaqhzgtjXUzGzMPhpV1iRFtTYEaSpqRMKyrnFM6BgKH9ZLVdE/C4NgP1kgxC
rFNgBqZHkjIkmya4JjdY2fUoNIJFIWiTb6NrRfG6sIN7ouyoKf3ukuIp22cUHG/h
SstkPe9mRiNolp81TD7QPCQxaZ+9qEyrFR9fr90NHjI7pqhSXIru9kQWU/o88Nsh
JN07qCaoyTxK+fnJSZiRG2eIkIg1T9pxxU0pMR+xrKTGgpgXF9RaCEfhPStKeuTx
VISqOBXailVAZ6kCOCsWfFuCQ5cCSUorQpatC8Lc1omXYouDz+N5b5uPzf1/0x65
7k8L7dFekkAZqIWg//nzZUiYs0Ic79BeHb6A8F3GLRyUnjzl4B9oz2GgAZRnzZgy
IrHmU1FSYZ89w/EiMtIKwqd3qsjgFBbV5ilIB1IdTV/CTt1JPmJ1407prz+QvRBg
RVDo+CWrmPGQ+H8WazltPyQVZv0uMe4dEZpAvUt6ZKjCU5NHpD0=
=CGtA
-----END PGP SIGNATURE-----

Back to linux.debian.changes | Previous | Next | Find similar

Thread

Accepted openssh 1:10.0p1-7+deb13u3 (source) into proposed-updates Debian FTP Masters <ftpmaster@ftp-master.debian.org> - 2026-05-05 20:40 +0200

csiph-web