-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Tue, 05 May 2026 11:25:39 +0100
Source: openssh
Binary: openssh-client openssh-client-dbgsym openssh-client-udeb openssh-server openssh-server-dbgsym openssh-server-udeb openssh-sftp-server openssh-sftp-server-dbgsym openssh-tests openssh-tests-dbgsym ssh-askpass-gnome ssh-askpass-gnome-dbgsym
Architecture: armel
Version: 1:10.0p1-7+deb13u3
Distribution: trixie
Urgency: medium
Maintainer: armel Build Daemon (arm-ubc-01) <buildd_arm64-arm-ubc-01@buildd.debian.org>
Changed-By: Colin Watson <cjwatson@debian.org>
Description:
 openssh-client - secure shell (SSH) client, for secure access to remote machines
 openssh-client-udeb - secure shell client for the Debian installer (udeb)
 openssh-server - secure shell (SSH) server, for secure access from remote machines
 openssh-server-udeb - secure shell server for the Debian installer (udeb)
 openssh-sftp-server - secure shell (SSH) sftp server module, for SFTP access from remot
 openssh-tests - OpenSSH regression tests
 ssh-askpass-gnome - interactive X program to prompt users for a passphrase for ssh-ad
Closes: 1132572 1132573 1132574 1132575 1132576
Changes:
 openssh (1:10.0p1-7+deb13u3) trixie; urgency=medium
 .
   * Backport minor security fixes from 10.3p1:
     - ssh(1): the -J and equivalent -oProxyJump="..." options now validate
       user and host names for ProxyJump/-J options passed via the
       command-line (no such validation is performed for this option in
       configuration files). This prevents shell injection in situations
       where these were directly exposed to adversarial input, which would
       have been a terrible idea to begin with.
     - CVE-2026-35386: ssh(1): validation of shell metacharacters in user
       names supplied on the command-line was performed too late to prevent
       some situations where they could be expanded from %-tokens in
       ssh_config. For certain configurations, such as those that use a "%u"
       token in a "Match exec" block, an attacker who can control the user
       name passed to ssh(1) could potentially execute arbitrary shell
       commands. Reported by Florian Kohnhäuser (closes: #1132573).
       We continue to recommend against directly exposing ssh(1) and other
       tools' command-lines to untrusted input. Mitigations such as this can
       not be absolute given the variety of shells and user configurations in
       use.
     - CVE-2026-35414: sshd(8): when matching an authorized_keys
       principals="" option against a list of principals in a certificate, an
       incorrect algorithm was used that could allow inappropriate matching
       in cases where a principal name in the certificate contains a comma
       character. Exploitation of the condition requires an authorized_keys
       principals="" option that lists more than one principal *and* a CA
       that will issue a certificate that encodes more than one of these
       principal names separated by a comma (typical CAs strongly constrain
       which principal names they will place in a certificate). This
       condition only applies to user- trusted CA keys in authorized_keys,
       the main certificate authentication path
       (TrustedUserCAKeys/AuthorizedPrincipalsFile) is not affected. Reported
       by Vladimir Tokarev (closes: #1132576).
     - CVE-2026-35385: scp(1): when downloading files as root in legacy (-O)
       mode and without the -p (preserve modes) flag set, scp did not clear
       setuid/setgid bits from downloaded files as one might typically
       expect. This bug dates back to the original Berkeley rcp program.
       Reported by Christos Papakonstantinou of Cantina and Spearbit (closes:
       #1132572).
     - CVE-2026-35387: sshd(8): fix incomplete application of
       PubkeyAcceptedAlgorithms and HostbasedAcceptedAlgorithms with regard
       to ECDSA keys. Previously if one of these directives contains any
       ECDSA algorithm name (say "ecdsa-sha2-nistp384"), then any other ECDSA
       algorithm would be accepted in its place regardless of whether it was
       listed or not.  Reported by Christos Papakonstantinou of Cantina and
       Spearbit (closes: #1132574).
     - CVE-2026-35388: ssh(1): connection multiplexing confirmation
       (requested using "ControlMaster ask/autoask") was not being tested for
       proxy mode multiplexing sessions (i.e. "ssh -O proxy ..."). Reported
       by Michalis Vasileiadis (closes: #1132575).
   * Cherry-pick IPQoS handling updates from upstream:
     - Set default IPQoS for interactive sessions to Expedited Forwarding
       (EF).
     - Deprecate support for IPv4 type-of-service (TOS) IPQoS keywords.
     - Make ssh(1) and sshd(8) set IP QoS (aka IP_TOS, IPV6_TCLASS)
       continually at runtime based on what sessions/channels are open.
     - Correctly set extended type for client-side channels.  Fixes
       interactive vs bulk IPQoS for client->server traffic.
Checksums-Sha1:
 5839f101f39c71f7f1163102f4f61ed823f4d0a5 3776352 openssh-client-dbgsym_10.0p1-7+deb13u3_armel.deb
 76c7606150e50c87c27cfd9c34c454b6ee158a73 360180 openssh-client-udeb_10.0p1-7+deb13u3_armel.udeb
 e12bf956309ccef47e0cc92c8715e7569927bcf1 880308 openssh-client_10.0p1-7+deb13u3_armel.deb
 65fdaac32f65e14a82ff7d423f11a662dfec8afa 2363228 openssh-server-dbgsym_10.0p1-7+deb13u3_armel.deb
 781e591035ab24ff236e11ab0b9f3d3cf57fef79 455112 openssh-server-udeb_10.0p1-7+deb13u3_armel.udeb
 21786771377c9168d5c88283e1d9566bf3f0115a 528716 openssh-server_10.0p1-7+deb13u3_armel.deb
 e88946d742e21553c6d6cef04d323884aa50a3e7 169972 openssh-sftp-server-dbgsym_10.0p1-7+deb13u3_armel.deb
 0cdcdc166c9c079cddf01cc6a186da1aa46389c3 58468 openssh-sftp-server_10.0p1-7+deb13u3_armel.deb
 b46df051a39dcc5cc9ae0c220af0665c89dd4566 2917300 openssh-tests-dbgsym_10.0p1-7+deb13u3_armel.deb
 0501e189745a48e298bdfae8154094fc304b0276 926532 openssh-tests_10.0p1-7+deb13u3_armel.deb
 e2e9175377bee352a6895446d2bf361e3952ca19 18539 openssh_10.0p1-7+deb13u3_armel-buildd.buildinfo
 e3854f15003b179a1d6eda738c5631d76e328ad6 17188 ssh-askpass-gnome-dbgsym_10.0p1-7+deb13u3_armel.deb
 0d6f71bed899ed87ec23339b6b721a984477251b 157492 ssh-askpass-gnome_10.0p1-7+deb13u3_armel.deb
Checksums-Sha256:
 0d9092a4ec420cceda65429a6cf7c5bc8d8d75421e4abf109219d69e9f8d991b 3776352 openssh-client-dbgsym_10.0p1-7+deb13u3_armel.deb
 ea5b7a725482e17821c73e68fa9f45c208cc34749fce84f65a10995d92d142f9 360180 openssh-client-udeb_10.0p1-7+deb13u3_armel.udeb
 2a3a6acc76c9a415e6bedc20550275d9e0973d95d62ede038fe19c7d8ee627bc 880308 openssh-client_10.0p1-7+deb13u3_armel.deb
 1941c200743e9459c36ec6a629186ceb5060945a29860b9d41e9beb8636eafe2 2363228 openssh-server-dbgsym_10.0p1-7+deb13u3_armel.deb
 2d9a92de64b42d1676c09112a2ae2e97469df4a20f971aa360bd32126b55e032 455112 openssh-server-udeb_10.0p1-7+deb13u3_armel.udeb
 840ef89f6dddb0bad1a06cdd67a6f59ac2f2dd3f9a7328cbb01d0b4a72895336 528716 openssh-server_10.0p1-7+deb13u3_armel.deb
 03271eb3aa583b4955ea219fc80bd0e307905be7e7712832122bab010829fe65 169972 openssh-sftp-server-dbgsym_10.0p1-7+deb13u3_armel.deb
 d77117ada514ea19b25260806feaca912e1e8a4088089f12ddc481783459534c 58468 openssh-sftp-server_10.0p1-7+deb13u3_armel.deb
 f5a56de4e289617dd2c7a0c36abe009c85f835e6670e580299296631c90e70b4 2917300 openssh-tests-dbgsym_10.0p1-7+deb13u3_armel.deb
 82cfdd8c9c7c3c5df2dc60558840a5612f75a8c2d7c525a1dbf859efd97d1dc4 926532 openssh-tests_10.0p1-7+deb13u3_armel.deb
 117eb58ec22462f2c1289a399680900e6c15d001c43a78ce61e57afaf868b040 18539 openssh_10.0p1-7+deb13u3_armel-buildd.buildinfo
 4673d4b76cc279dd995ca76e84f1c6297de3bed222b52d8bc8d61106a373464a 17188 ssh-askpass-gnome-dbgsym_10.0p1-7+deb13u3_armel.deb
 9bad51bec6ce9e7974c4585aa072966b9f1f27cbb94694bff5b971d0054c54e9 157492 ssh-askpass-gnome_10.0p1-7+deb13u3_armel.deb
Files:
 48188d4210a661049f2e5679bf917b67 3776352 debug optional openssh-client-dbgsym_10.0p1-7+deb13u3_armel.deb
 5bc9edea535bdea2bd8eec4102302375 360180 debian-installer optional openssh-client-udeb_10.0p1-7+deb13u3_armel.udeb
 12c949ecb0b890f39d5f672600d938b4 880308 net standard openssh-client_10.0p1-7+deb13u3_armel.deb
 132873867649812f0e55d61c07fe0520 2363228 debug optional openssh-server-dbgsym_10.0p1-7+deb13u3_armel.deb
 5ad6b3684d06c00a1492a3af762c7161 455112 debian-installer optional openssh-server-udeb_10.0p1-7+deb13u3_armel.udeb
 0c0bb0163fb061139fbb92449ff87d93 528716 net optional openssh-server_10.0p1-7+deb13u3_armel.deb
 efeff60e87a9ff9f2816f20f32528ce8 169972 debug optional openssh-sftp-server-dbgsym_10.0p1-7+deb13u3_armel.deb
 0b4c20355d6393e2417036f3de2b266c 58468 net optional openssh-sftp-server_10.0p1-7+deb13u3_armel.deb
 c3e2635f2bbfa6536f80564707e36256 2917300 debug optional openssh-tests-dbgsym_10.0p1-7+deb13u3_armel.deb
 5c8b411af59449cab8a1ca5f80386db8 926532 net optional openssh-tests_10.0p1-7+deb13u3_armel.deb
 d0d97569193fd6ba7686ef83362c4caa 18539 net standard openssh_10.0p1-7+deb13u3_armel-buildd.buildinfo
 9e03b147fcb815fc2a9a6d77eed29edf 17188 debug optional ssh-askpass-gnome-dbgsym_10.0p1-7+deb13u3_armel.deb
 eaf2e40b4207eb4b7e97863da483956e 157492 gnome optional ssh-askpass-gnome_10.0p1-7+deb13u3_armel.deb

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEE0Ha//LlsGOpbQ/H4xqCFmsOWgoYFAmn6PBoACgkQxqCFmsOW
goZOZw/8CQ5IX/Z2wEzwau34oXhT9WwGlx0ehN9yty4ECViK8pdFm7N43rszZzJc
UxeL0KE22xmNzK/+BiGC+sMbDeQgduI9/OjL2nu9utN6hXYOq9vRFA7lPIKhCqfP
CUxMv+zH5wGyR8AK/hMrIHrPVZumNcIyaWNI9FkEUw0u5732S08+3ZCZaxsNpChk
CWNLBbNSXBvMBOEzG/z0HIGPMb3FTHMsccB+nF9Di3519xBik+J+i2khA5JK0fpC
ViNq60Ndh19pJKcLw3Z2uEkk0u99qJXRAE720iv0W06OnT8qdQPEX8d8PgCQh9zA
zKtUpFLWp4UZ44BQsomJ5+nVHv4si6z4aiN5V0ufAXvLvF+jWybnlDrK/iZ1wJDJ
begJdULOFk4Hz56cusk6hMK/DuB4oFpT3mq5JLyuY56uDNT8Tq6IBC7pdbN9OBNZ
JtoksIKcaldfS1lse+tGkcfXkXoLZBFmHJie5OC3LE/nnuIy//0OltALbx7aFPcH
Bs12kqnscLSkQxDODWHAgtouW2yyxh0gOR7i/1k1b/ZhdwNRXF0ITBcyVx+x0SiA
xYsx+dI3D9Pq+2lEFsZiDhcUnDWf3aXO5bHK/FrOCedtgVX1Q6KklJvzMLf5XoCe
Ngt+4yOY4t2rz/Tad18nidamD6G9k8zwoepYlNvqDYXwGgBfHq0=
=6z3b
-----END PGP SIGNATURE-----