-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Tue, 05 May 2026 11:25:39 +0100
Source: openssh
Binary: openssh-client openssh-client-dbgsym openssh-client-udeb openssh-server openssh-server-dbgsym openssh-server-udeb openssh-sftp-server openssh-sftp-server-dbgsym openssh-tests openssh-tests-dbgsym ssh-askpass-gnome ssh-askpass-gnome-dbgsym
Architecture: arm64
Version: 1:10.0p1-7+deb13u3
Distribution: trixie
Urgency: medium
Maintainer: arm64 Build Daemon (arm-conova-04) <buildd_arm64-arm-conova-04@buildd.debian.org>
Changed-By: Colin Watson <cjwatson@debian.org>
Description:
 openssh-client - secure shell (SSH) client, for secure access to remote machines
 openssh-client-udeb - secure shell client for the Debian installer (udeb)
 openssh-server - secure shell (SSH) server, for secure access from remote machines
 openssh-server-udeb - secure shell server for the Debian installer (udeb)
 openssh-sftp-server - secure shell (SSH) sftp server module, for SFTP access from remot
 openssh-tests - OpenSSH regression tests
 ssh-askpass-gnome - interactive X program to prompt users for a passphrase for ssh-ad
Closes: 1132572 1132573 1132574 1132575 1132576
Changes:
 openssh (1:10.0p1-7+deb13u3) trixie; urgency=medium
 .
   * Backport minor security fixes from 10.3p1:
     - ssh(1): the -J and equivalent -oProxyJump="..." options now validate
       user and host names for ProxyJump/-J options passed via the
       command-line (no such validation is performed for this option in
       configuration files). This prevents shell injection in situations
       where these were directly exposed to adversarial input, which would
       have been a terrible idea to begin with.
     - CVE-2026-35386: ssh(1): validation of shell metacharacters in user
       names supplied on the command-line was performed too late to prevent
       some situations where they could be expanded from %-tokens in
       ssh_config. For certain configurations, such as those that use a "%u"
       token in a "Match exec" block, an attacker who can control the user
       name passed to ssh(1) could potentially execute arbitrary shell
       commands. Reported by Florian Kohnhäuser (closes: #1132573).
       We continue to recommend against directly exposing ssh(1) and other
       tools' command-lines to untrusted input. Mitigations such as this can
       not be absolute given the variety of shells and user configurations in
       use.
     - CVE-2026-35414: sshd(8): when matching an authorized_keys
       principals="" option against a list of principals in a certificate, an
       incorrect algorithm was used that could allow inappropriate matching
       in cases where a principal name in the certificate contains a comma
       character. Exploitation of the condition requires an authorized_keys
       principals="" option that lists more than one principal *and* a CA
       that will issue a certificate that encodes more than one of these
       principal names separated by a comma (typical CAs strongly constrain
       which principal names they will place in a certificate). This
       condition only applies to user- trusted CA keys in authorized_keys,
       the main certificate authentication path
       (TrustedUserCAKeys/AuthorizedPrincipalsFile) is not affected. Reported
       by Vladimir Tokarev (closes: #1132576).
     - CVE-2026-35385: scp(1): when downloading files as root in legacy (-O)
       mode and without the -p (preserve modes) flag set, scp did not clear
       setuid/setgid bits from downloaded files as one might typically
       expect. This bug dates back to the original Berkeley rcp program.
       Reported by Christos Papakonstantinou of Cantina and Spearbit (closes:
       #1132572).
     - CVE-2026-35387: sshd(8): fix incomplete application of
       PubkeyAcceptedAlgorithms and HostbasedAcceptedAlgorithms with regard
       to ECDSA keys. Previously if one of these directives contains any
       ECDSA algorithm name (say "ecdsa-sha2-nistp384"), then any other ECDSA
       algorithm would be accepted in its place regardless of whether it was
       listed or not.  Reported by Christos Papakonstantinou of Cantina and
       Spearbit (closes: #1132574).
     - CVE-2026-35388: ssh(1): connection multiplexing confirmation
       (requested using "ControlMaster ask/autoask") was not being tested for
       proxy mode multiplexing sessions (i.e. "ssh -O proxy ..."). Reported
       by Michalis Vasileiadis (closes: #1132575).
   * Cherry-pick IPQoS handling updates from upstream:
     - Set default IPQoS for interactive sessions to Expedited Forwarding
       (EF).
     - Deprecate support for IPv4 type-of-service (TOS) IPQoS keywords.
     - Make ssh(1) and sshd(8) set IP QoS (aka IP_TOS, IPV6_TCLASS)
       continually at runtime based on what sessions/channels are open.
     - Correctly set extended type for client-side channels.  Fixes
       interactive vs bulk IPQoS for client->server traffic.
Checksums-Sha1:
 74855226babc7e341b281932f56d8fa318055ddf 4038272 openssh-client-dbgsym_10.0p1-7+deb13u3_arm64.deb
 cef1bf84e3cf8608811a69d21413861093a9b106 354672 openssh-client-udeb_10.0p1-7+deb13u3_arm64.udeb
 d198c1331c500acee0fb36913aeb7db81411ac0c 927364 openssh-client_10.0p1-7+deb13u3_arm64.deb
 aedad15df78e22073108d30ee79c8af0fff1c007 2505288 openssh-server-dbgsym_10.0p1-7+deb13u3_arm64.deb
 3cb7ea3d8c67a6f7d7c882c200287d0234a5394f 469672 openssh-server-udeb_10.0p1-7+deb13u3_arm64.udeb
 4f38365aa1b176bd07b9acf8893c745a2dce12b5 554416 openssh-server_10.0p1-7+deb13u3_arm64.deb
 051f0bc73cad47cadd4339d73495cb57db579551 170556 openssh-sftp-server-dbgsym_10.0p1-7+deb13u3_arm64.deb
 0d70294e50d5eb93b2fa13b3a93f24adf535792c 60608 openssh-sftp-server_10.0p1-7+deb13u3_arm64.deb
 3e5532fb671c1131c60e164e0ba3d68ade5cfde7 3106056 openssh-tests-dbgsym_10.0p1-7+deb13u3_arm64.deb
 2577b8bc28ad8f6dfb6d1f92098e95c081732a4d 996876 openssh-tests_10.0p1-7+deb13u3_arm64.deb
 bfab8e306bba09508f17fc9d72a15126dd0fdc33 18677 openssh_10.0p1-7+deb13u3_arm64-buildd.buildinfo
 c7de72ddf2bf33b302d36aed6e1ed1350ca83b6e 17180 ssh-askpass-gnome-dbgsym_10.0p1-7+deb13u3_arm64.deb
 27ebf51f81193433b9fad7e36ebccf26a5b0cae2 157812 ssh-askpass-gnome_10.0p1-7+deb13u3_arm64.deb
Checksums-Sha256:
 243c21a18fe3e050d0ef1190a9a7003372f46e6ef104191a5973b8636fa1dfa0 4038272 openssh-client-dbgsym_10.0p1-7+deb13u3_arm64.deb
 f160aa61b4254a08e0f2b1a309a6b4c8e10e93758ec60f3ceba7d1ddbffe43d7 354672 openssh-client-udeb_10.0p1-7+deb13u3_arm64.udeb
 9d62b428fb8d98263dc96e0b21393f765d50ca7f18528bcdf2cc40a096af9930 927364 openssh-client_10.0p1-7+deb13u3_arm64.deb
 ced63b5c647fe267ce977f26e23e3f85457ae9ca032c0274e7d14619f80a48c7 2505288 openssh-server-dbgsym_10.0p1-7+deb13u3_arm64.deb
 1d7480d8764513e1f55a38e793ab8a8a3df935fe9bc2e497843b6b438dc1157b 469672 openssh-server-udeb_10.0p1-7+deb13u3_arm64.udeb
 e7657f9763a0904ac62843a0e0af1a6214d71ea8a43aeaf974cd2facf354c876 554416 openssh-server_10.0p1-7+deb13u3_arm64.deb
 0165d3d7664ffb38cfff1e7f4700b757deb68b9a5ea107c603c1d20d8a54f3a7 170556 openssh-sftp-server-dbgsym_10.0p1-7+deb13u3_arm64.deb
 44b3d5523b0fa80126e5582e99c7b797a05fe9737db84dd3d55a40f9669cd051 60608 openssh-sftp-server_10.0p1-7+deb13u3_arm64.deb
 8731c4ec28552b159fde2697f03749350c128d7a3cf714b82d0c23547ff4c4f3 3106056 openssh-tests-dbgsym_10.0p1-7+deb13u3_arm64.deb
 f545223def858c7d8f6a07613c61ca3b90b03535ba02b5f66ce3106bfbc74064 996876 openssh-tests_10.0p1-7+deb13u3_arm64.deb
 4116789c9c944a0ed2a660d77c5644384c8eec6a95248df9a8ff69d244e07ac1 18677 openssh_10.0p1-7+deb13u3_arm64-buildd.buildinfo
 179136fd0970493d34ea1fa8ec7cd0400681a8b639c97cafb91b1a12b5281430 17180 ssh-askpass-gnome-dbgsym_10.0p1-7+deb13u3_arm64.deb
 0afbd20a742b21180364b20cd9bf72f5350510ce74ea44da473673791a83a225 157812 ssh-askpass-gnome_10.0p1-7+deb13u3_arm64.deb
Files:
 97e1d46578ee27c21dd86bf6802a07b8 4038272 debug optional openssh-client-dbgsym_10.0p1-7+deb13u3_arm64.deb
 1c22d3cd6fe9e2888a8c19d00e8b923b 354672 debian-installer optional openssh-client-udeb_10.0p1-7+deb13u3_arm64.udeb
 f16ac337411bec7d17fd65761ee2d64d 927364 net standard openssh-client_10.0p1-7+deb13u3_arm64.deb
 9ca2458149b4e74197e300a870cd4087 2505288 debug optional openssh-server-dbgsym_10.0p1-7+deb13u3_arm64.deb
 c31c223db3917e20f3887b74ed9bcd68 469672 debian-installer optional openssh-server-udeb_10.0p1-7+deb13u3_arm64.udeb
 3d6a05747dccc3fecbb1a12191e71745 554416 net optional openssh-server_10.0p1-7+deb13u3_arm64.deb
 3d2c1f53d4f3ab371efb21a659e1a0f6 170556 debug optional openssh-sftp-server-dbgsym_10.0p1-7+deb13u3_arm64.deb
 989ec25ad78d242125db8c76d16a62e8 60608 net optional openssh-sftp-server_10.0p1-7+deb13u3_arm64.deb
 69e252b0386e5dbe7ef7f5552b15fbe3 3106056 debug optional openssh-tests-dbgsym_10.0p1-7+deb13u3_arm64.deb
 91baf195ec6570c18a4bfd996d2c2a22 996876 net optional openssh-tests_10.0p1-7+deb13u3_arm64.deb
 c6524b53e77f8daf53ec74054c4ca0ff 18677 net standard openssh_10.0p1-7+deb13u3_arm64-buildd.buildinfo
 07e1c77d72c54864b3f8c3d72a10bdf3 17180 debug optional ssh-askpass-gnome-dbgsym_10.0p1-7+deb13u3_arm64.deb
 2ff7d6c8bee39a9ce8cb9e4d564e541f 157812 gnome optional ssh-askpass-gnome_10.0p1-7+deb13u3_arm64.deb

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEYxmcRLDHP0tCCM0oScpU3dYulLgFAmn6O4IACgkQScpU3dYu
lLguohAAk3b+L5SgDiAoXqodMOtjGa1JotzSoM2xpewfHXbUa6dFOmXJ9B1ZIuwW
pGarQFhL5sn2MKW/WF51vseUHNUhuOkUclJcsgSxYJ5/InTl/FJFTtKSHp7YwRYk
5Br1Uoi+07jdMlHa53gl5gdkKlh5Wyq/X9qwZTqWBYYcQ1qNGWMaqdfqe7bYJ8OT
8dlGpdzm/ExiLaNUU5823+4S+VK35dFBEqH3n3y40mjHXJdRUL8gqnZxSQCBzzv9
72HPH+v3jdLzcdp6T+kc8due85TwXVb+yKYP7kyuX4eYASOv8XrRxC3qSMwgEkeZ
NZcXoCBiA04iNSI5SsQ1N8tpMqVj/yn57Br5l/yMbqQK3tNwCTSKGd+69Gro0JtO
ZQvlu9KLIpCBDC9jIxgoFRSD5LL5N/z7AruSi2ZHr0yq9oT9/HfZo26s6I/HVgMX
qzEnbNf+EzXLtiHQVAFv8rBFAEW186AMrhDYqSJG/rei/h1Q8VdIUv/KGmiaSj4H
wQdx/mMxNJ1nDEypY7n41lsW+u2Wx2s2Ggu1f0RbGsr6Zn2Ic4/70K8CznwNOd9D
6CQPEc2UzhsVyFlF0DOv2WkWOv9eVfJL6ujRge3pYDL9IL4/Ie/xk+Ocw4THaXPr
3qP0g6GJKP0SgLlqNHtXQkrd78Mw4J4NogGjUtxcEO0Wms6fAAQ=
=nfqx
-----END PGP SIGNATURE-----