-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Tue, 05 May 2026 11:25:39 +0100
Source: openssh
Binary: openssh-client openssh-client-dbgsym openssh-client-udeb openssh-server openssh-server-dbgsym openssh-server-udeb openssh-sftp-server openssh-sftp-server-dbgsym openssh-tests openssh-tests-dbgsym ssh-askpass-gnome ssh-askpass-gnome-dbgsym
Architecture: armhf
Version: 1:10.0p1-7+deb13u3
Distribution: trixie
Urgency: medium
Maintainer: armhf Build Daemon (arm-conova-01) <buildd_arm64-arm-conova-01@buildd.debian.org>
Changed-By: Colin Watson <cjwatson@debian.org>
Description:
 openssh-client - secure shell (SSH) client, for secure access to remote machines
 openssh-client-udeb - secure shell client for the Debian installer (udeb)
 openssh-server - secure shell (SSH) server, for secure access from remote machines
 openssh-server-udeb - secure shell server for the Debian installer (udeb)
 openssh-sftp-server - secure shell (SSH) sftp server module, for SFTP access from remot
 openssh-tests - OpenSSH regression tests
 ssh-askpass-gnome - interactive X program to prompt users for a passphrase for ssh-ad
Closes: 1132572 1132573 1132574 1132575 1132576
Changes:
 openssh (1:10.0p1-7+deb13u3) trixie; urgency=medium
 .
   * Backport minor security fixes from 10.3p1:
     - ssh(1): the -J and equivalent -oProxyJump="..." options now validate
       user and host names for ProxyJump/-J options passed via the
       command-line (no such validation is performed for this option in
       configuration files). This prevents shell injection in situations
       where these were directly exposed to adversarial input, which would
       have been a terrible idea to begin with.
     - CVE-2026-35386: ssh(1): validation of shell metacharacters in user
       names supplied on the command-line was performed too late to prevent
       some situations where they could be expanded from %-tokens in
       ssh_config. For certain configurations, such as those that use a "%u"
       token in a "Match exec" block, an attacker who can control the user
       name passed to ssh(1) could potentially execute arbitrary shell
       commands. Reported by Florian Kohnhäuser (closes: #1132573).
       We continue to recommend against directly exposing ssh(1) and other
       tools' command-lines to untrusted input. Mitigations such as this can
       not be absolute given the variety of shells and user configurations in
       use.
     - CVE-2026-35414: sshd(8): when matching an authorized_keys
       principals="" option against a list of principals in a certificate, an
       incorrect algorithm was used that could allow inappropriate matching
       in cases where a principal name in the certificate contains a comma
       character. Exploitation of the condition requires an authorized_keys
       principals="" option that lists more than one principal *and* a CA
       that will issue a certificate that encodes more than one of these
       principal names separated by a comma (typical CAs strongly constrain
       which principal names they will place in a certificate). This
       condition only applies to user- trusted CA keys in authorized_keys,
       the main certificate authentication path
       (TrustedUserCAKeys/AuthorizedPrincipalsFile) is not affected. Reported
       by Vladimir Tokarev (closes: #1132576).
     - CVE-2026-35385: scp(1): when downloading files as root in legacy (-O)
       mode and without the -p (preserve modes) flag set, scp did not clear
       setuid/setgid bits from downloaded files as one might typically
       expect. This bug dates back to the original Berkeley rcp program.
       Reported by Christos Papakonstantinou of Cantina and Spearbit (closes:
       #1132572).
     - CVE-2026-35387: sshd(8): fix incomplete application of
       PubkeyAcceptedAlgorithms and HostbasedAcceptedAlgorithms with regard
       to ECDSA keys. Previously if one of these directives contains any
       ECDSA algorithm name (say "ecdsa-sha2-nistp384"), then any other ECDSA
       algorithm would be accepted in its place regardless of whether it was
       listed or not.  Reported by Christos Papakonstantinou of Cantina and
       Spearbit (closes: #1132574).
     - CVE-2026-35388: ssh(1): connection multiplexing confirmation
       (requested using "ControlMaster ask/autoask") was not being tested for
       proxy mode multiplexing sessions (i.e. "ssh -O proxy ..."). Reported
       by Michalis Vasileiadis (closes: #1132575).
   * Cherry-pick IPQoS handling updates from upstream:
     - Set default IPQoS for interactive sessions to Expedited Forwarding
       (EF).
     - Deprecate support for IPv4 type-of-service (TOS) IPQoS keywords.
     - Make ssh(1) and sshd(8) set IP QoS (aka IP_TOS, IPV6_TCLASS)
       continually at runtime based on what sessions/channels are open.
     - Correctly set extended type for client-side channels.  Fixes
       interactive vs bulk IPQoS for client->server traffic.
Checksums-Sha1:
 64de574a347059fb99459edfe3d19d8ebdd782f6 3848616 openssh-client-dbgsym_10.0p1-7+deb13u3_armhf.deb
 44169f31ed00b538e8da701a6f49e94e2f3d19da 361952 openssh-client-udeb_10.0p1-7+deb13u3_armhf.udeb
 a5ac2117e23d99857952ff4a96e81aa9516d0c5b 898280 openssh-client_10.0p1-7+deb13u3_armhf.deb
 e1f72448fcc61774913f141f46bd74d4e43fe20e 2406148 openssh-server-dbgsym_10.0p1-7+deb13u3_armhf.deb
 73eedf2e26cee3e4ba3fd6753b42e2addd8f2e99 458688 openssh-server-udeb_10.0p1-7+deb13u3_armhf.udeb
 3b5c2ed3ef4201eb4a23269036ff5d785166daa3 538408 openssh-server_10.0p1-7+deb13u3_armhf.deb
 97e25d3ff3be7bbfe7507f0de9681e8499e49bbc 172460 openssh-sftp-server-dbgsym_10.0p1-7+deb13u3_armhf.deb
 0157095cc2aa5f951d4d35c4d631e9a51b4a5c93 58384 openssh-sftp-server_10.0p1-7+deb13u3_armhf.deb
 ff6dee570d6e75cc367f9d3b29536c26fe6380eb 2977744 openssh-tests-dbgsym_10.0p1-7+deb13u3_armhf.deb
 7bbe83ef18a53124b6c24ad16eedd1dc78144cfb 945596 openssh-tests_10.0p1-7+deb13u3_armhf.deb
 67ced18f0109125afc831b45482bb4e764b3ce1e 18553 openssh_10.0p1-7+deb13u3_armhf-buildd.buildinfo
 c0a3fc0bf5482df357c1e6bf085b794264efbc60 17256 ssh-askpass-gnome-dbgsym_10.0p1-7+deb13u3_armhf.deb
 89ee2d998fd500dad7dca93f70cbf83f9f476572 157456 ssh-askpass-gnome_10.0p1-7+deb13u3_armhf.deb
Checksums-Sha256:
 40c594a8565614e079391658d248ca225a05920c3481079d1b9c2a2b7cb2560a 3848616 openssh-client-dbgsym_10.0p1-7+deb13u3_armhf.deb
 d576522b5deb5d616f55aa316d82fac021c609e99d69ae12f490a66a43c38af2 361952 openssh-client-udeb_10.0p1-7+deb13u3_armhf.udeb
 e01c52328ba2a5c2c05172be30590c7c98518f5e46d02059f7e9cbcfb4732c75 898280 openssh-client_10.0p1-7+deb13u3_armhf.deb
 3f79987620557c38eada4ec582a2b32a51e91546f30685bd8490712015bcb98a 2406148 openssh-server-dbgsym_10.0p1-7+deb13u3_armhf.deb
 6084d00bad36c9588999227d17455c6e5a23cc5f16239c5b00e3ff14f3d893da 458688 openssh-server-udeb_10.0p1-7+deb13u3_armhf.udeb
 00ee76771482e5617ff4397d25f392e5a5c6b6ac09f692ba823e2e3e58f531e2 538408 openssh-server_10.0p1-7+deb13u3_armhf.deb
 427079bc1de40c8193302bbac62ff6aa713d6fa3f9ad157a40db09db4f0cb988 172460 openssh-sftp-server-dbgsym_10.0p1-7+deb13u3_armhf.deb
 eda2b79db5005b2216a10afdc038d6e27f5a487ceea8bc36d87ae82b36127eab 58384 openssh-sftp-server_10.0p1-7+deb13u3_armhf.deb
 574a978a83fa716efab5a4184239f0063ec8fa947d5ae8c5510ecfcb136efb17 2977744 openssh-tests-dbgsym_10.0p1-7+deb13u3_armhf.deb
 34c56cdb65e9310a68408b0578074b8a607388c3b571f5d5fbefe73bd3abf11d 945596 openssh-tests_10.0p1-7+deb13u3_armhf.deb
 5ef4b482d149cd003c9eb75d2b58b15f916b9ce47ab8862eaa7a9d8c9259e15f 18553 openssh_10.0p1-7+deb13u3_armhf-buildd.buildinfo
 d79a32e30f84703ca0cf20324837ea19d300faf5299a6e262f2a83b9e06273bb 17256 ssh-askpass-gnome-dbgsym_10.0p1-7+deb13u3_armhf.deb
 4df6532dbb368585e034b34f737d2d6e4c2cc2cc2ca7143ad6ecd7df36b71554 157456 ssh-askpass-gnome_10.0p1-7+deb13u3_armhf.deb
Files:
 f38b8ac732bfd7dec7496e4742bab592 3848616 debug optional openssh-client-dbgsym_10.0p1-7+deb13u3_armhf.deb
 aeafac903d88d96453584a8f940332c6 361952 debian-installer optional openssh-client-udeb_10.0p1-7+deb13u3_armhf.udeb
 bcf09605f62c1a3b9205fc4449919604 898280 net standard openssh-client_10.0p1-7+deb13u3_armhf.deb
 488f3d5dc7873d4b0aa187cfc6e946a7 2406148 debug optional openssh-server-dbgsym_10.0p1-7+deb13u3_armhf.deb
 53c9e5f8f5aecd6d55666f49d11c7bac 458688 debian-installer optional openssh-server-udeb_10.0p1-7+deb13u3_armhf.udeb
 45765032d6153445baf0e43125c27fa5 538408 net optional openssh-server_10.0p1-7+deb13u3_armhf.deb
 2b056671bcf77d2de217d8532e1b96be 172460 debug optional openssh-sftp-server-dbgsym_10.0p1-7+deb13u3_armhf.deb
 b0d0f1c5c39d28aa1aa29a382f450934 58384 net optional openssh-sftp-server_10.0p1-7+deb13u3_armhf.deb
 ad75ed43fd5bd10c4a46081c43319062 2977744 debug optional openssh-tests-dbgsym_10.0p1-7+deb13u3_armhf.deb
 c8cb32a9ecd8a022c233f4d0afb3d2b1 945596 net optional openssh-tests_10.0p1-7+deb13u3_armhf.deb
 0c6a28a813ceb47683acdea7604e7c4b 18553 net standard openssh_10.0p1-7+deb13u3_armhf-buildd.buildinfo
 b450b6ff6e31231c6e4283857c455285 17256 debug optional ssh-askpass-gnome-dbgsym_10.0p1-7+deb13u3_armhf.deb
 f660f9a560dbd7aae0d568360c5194a6 157456 gnome optional ssh-askpass-gnome_10.0p1-7+deb13u3_armhf.deb

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEO4qAQUSIo2p/kVRf8U6eOZMpj68FAmn6O7IACgkQ8U6eOZMp
j6+rzBAAhm15aDyhPG8dpLvt27QbqLU3qhuTazIkRtoHlXTonDWzjSbYsHox3DMk
Uccse0I+1d2nyipKYUUmr0wy1jbj2qnQj9jQ+CldrpWrcjMsB5ZncG1kVPu2BBU1
bqZKO2dRcADvQHcg7+EtQPRQsW9gf8fNwRmyF6lFf8vDjYHLmL3+3SGM0vy/o7iY
zAIguMo2IWYFdkkHFlJKRcRK8Peh3TzckGMy4IDeQOfizje6bBqlS1LkO0BYrW0X
q3qmLXExUWNdnoqnWMV9ECJx2j9EFGD6Hs4RgSKCAkb8Mv8KmN02NTNVb2ScYz1z
ptY9EEOZeFgeoAuOVr1A2vAGP8Xr13GXOX/cugfKixYXQ4qnX2aYJ7IEp5cmLgsb
w+po61rMAspIDkE9VihR3HAka1K9pVmIqIpmRi6RxsPqM2rXZ3xxki4ZxAqJzOhz
Hx6EiKmiXMW9TampzFHvKsYhfWKZZ/3CukbwYvbw+JptsK0PHPlW/sJbEWBy1tBr
EkDm3TYxREdoWJ8HrG01gDYMo0/s7Mpi1eF9IuAdlUr5rl1L0f+gjeGO0C6LBPsD
6fmceX/zRL0JM2yui8T9vVbweIYykfGZRFlua0KZRfNuKUk3ilrMxE/F7rOhCV8J
841On/23s3BrQ38F50Dor0jPBggGG81wrJj4y9vW3jggeMQ6z3M=
=AgvR
-----END PGP SIGNATURE-----