-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Tue, 05 May 2026 11:25:39 +0100
Source: openssh
Binary: openssh-client openssh-client-dbgsym openssh-client-udeb openssh-server openssh-server-dbgsym openssh-server-udeb openssh-sftp-server openssh-sftp-server-dbgsym openssh-tests openssh-tests-dbgsym ssh-askpass-gnome ssh-askpass-gnome-dbgsym
Architecture: amd64
Version: 1:10.0p1-7+deb13u3
Distribution: trixie
Urgency: medium
Maintainer: amd64 / i386 Build Daemon (x86-ubc-01) <buildd_amd64-x86-ubc-01@buildd.debian.org>
Changed-By: Colin Watson <cjwatson@debian.org>
Description:
 openssh-client - secure shell (SSH) client, for secure access to remote machines
 openssh-client-udeb - secure shell client for the Debian installer (udeb)
 openssh-server - secure shell (SSH) server, for secure access from remote machines
 openssh-server-udeb - secure shell server for the Debian installer (udeb)
 openssh-sftp-server - secure shell (SSH) sftp server module, for SFTP access from remot
 openssh-tests - OpenSSH regression tests
 ssh-askpass-gnome - interactive X program to prompt users for a passphrase for ssh-ad
Closes: 1132572 1132573 1132574 1132575 1132576
Changes:
 openssh (1:10.0p1-7+deb13u3) trixie; urgency=medium
 .
   * Backport minor security fixes from 10.3p1:
     - ssh(1): the -J and equivalent -oProxyJump="..." options now validate
       user and host names for ProxyJump/-J options passed via the
       command-line (no such validation is performed for this option in
       configuration files). This prevents shell injection in situations
       where these were directly exposed to adversarial input, which would
       have been a terrible idea to begin with.
     - CVE-2026-35386: ssh(1): validation of shell metacharacters in user
       names supplied on the command-line was performed too late to prevent
       some situations where they could be expanded from %-tokens in
       ssh_config. For certain configurations, such as those that use a "%u"
       token in a "Match exec" block, an attacker who can control the user
       name passed to ssh(1) could potentially execute arbitrary shell
       commands. Reported by Florian Kohnhäuser (closes: #1132573).
       We continue to recommend against directly exposing ssh(1) and other
       tools' command-lines to untrusted input. Mitigations such as this can
       not be absolute given the variety of shells and user configurations in
       use.
     - CVE-2026-35414: sshd(8): when matching an authorized_keys
       principals="" option against a list of principals in a certificate, an
       incorrect algorithm was used that could allow inappropriate matching
       in cases where a principal name in the certificate contains a comma
       character. Exploitation of the condition requires an authorized_keys
       principals="" option that lists more than one principal *and* a CA
       that will issue a certificate that encodes more than one of these
       principal names separated by a comma (typical CAs strongly constrain
       which principal names they will place in a certificate). This
       condition only applies to user- trusted CA keys in authorized_keys,
       the main certificate authentication path
       (TrustedUserCAKeys/AuthorizedPrincipalsFile) is not affected. Reported
       by Vladimir Tokarev (closes: #1132576).
     - CVE-2026-35385: scp(1): when downloading files as root in legacy (-O)
       mode and without the -p (preserve modes) flag set, scp did not clear
       setuid/setgid bits from downloaded files as one might typically
       expect. This bug dates back to the original Berkeley rcp program.
       Reported by Christos Papakonstantinou of Cantina and Spearbit (closes:
       #1132572).
     - CVE-2026-35387: sshd(8): fix incomplete application of
       PubkeyAcceptedAlgorithms and HostbasedAcceptedAlgorithms with regard
       to ECDSA keys. Previously if one of these directives contains any
       ECDSA algorithm name (say "ecdsa-sha2-nistp384"), then any other ECDSA
       algorithm would be accepted in its place regardless of whether it was
       listed or not.  Reported by Christos Papakonstantinou of Cantina and
       Spearbit (closes: #1132574).
     - CVE-2026-35388: ssh(1): connection multiplexing confirmation
       (requested using "ControlMaster ask/autoask") was not being tested for
       proxy mode multiplexing sessions (i.e. "ssh -O proxy ..."). Reported
       by Michalis Vasileiadis (closes: #1132575).
   * Cherry-pick IPQoS handling updates from upstream:
     - Set default IPQoS for interactive sessions to Expedited Forwarding
       (EF).
     - Deprecate support for IPv4 type-of-service (TOS) IPQoS keywords.
     - Make ssh(1) and sshd(8) set IP QoS (aka IP_TOS, IPV6_TCLASS)
       continually at runtime based on what sessions/channels are open.
     - Correctly set extended type for client-side channels.  Fixes
       interactive vs bulk IPQoS for client->server traffic.
Checksums-Sha1:
 4fd12dea3eda3f6cd7c478127208d540b12da041 4058412 openssh-client-dbgsym_10.0p1-7+deb13u3_amd64.deb
 ff74f58aa116ccb9e376f58ccdf3c5d112b959bd 393936 openssh-client-udeb_10.0p1-7+deb13u3_amd64.udeb
 631d3bce839892f2a3d56ae0983ee082444e5d35 990460 openssh-client_10.0p1-7+deb13u3_amd64.deb
 d76107e241b892400440170caa7cbe279b2e4a18 2521804 openssh-server-dbgsym_10.0p1-7+deb13u3_amd64.deb
 ab073e2ce7a7badcf525b06809ef72cf19a48952 509372 openssh-server-udeb_10.0p1-7+deb13u3_amd64.udeb
 95ca774656d6d556cbea98b7152bf23ad5fa8913 602148 openssh-server_10.0p1-7+deb13u3_amd64.deb
 ff421bd8903238dd96c0782371a45ac47d76eaa4 168904 openssh-sftp-server-dbgsym_10.0p1-7+deb13u3_amd64.deb
 0e04db7e780d1379cc470787f188f5acbc25e399 65356 openssh-sftp-server_10.0p1-7+deb13u3_amd64.deb
 f6797c2e0393a02b63def94aa5806805e79492cd 3117840 openssh-tests-dbgsym_10.0p1-7+deb13u3_amd64.deb
 6aaf363e62c90e481319cf764a58ec75e1309613 1034364 openssh-tests_10.0p1-7+deb13u3_amd64.deb
 69dd22d2901893f1b478242fa0ed8b1437494d3d 18750 openssh_10.0p1-7+deb13u3_amd64-buildd.buildinfo
 506ea1c07ffe457dcdecd5c6fa5719cda91eb9fa 17268 ssh-askpass-gnome-dbgsym_10.0p1-7+deb13u3_amd64.deb
 5d2ef2b85b6faf28a2b160c760da75419ddfd3b2 157880 ssh-askpass-gnome_10.0p1-7+deb13u3_amd64.deb
Checksums-Sha256:
 f2da8c31d76351f166523fa90de50ad33ff7ac52cb9bf5b2fac09e95c637fa23 4058412 openssh-client-dbgsym_10.0p1-7+deb13u3_amd64.deb
 a27fb251a73cacbd52096a3efbb608c3f911f086372c28cd152dbf520e9cf41b 393936 openssh-client-udeb_10.0p1-7+deb13u3_amd64.udeb
 186a759c7f5b669c56df15d5c23d7ad8efc377f05cdc25e449fcffba18b0e9ca 990460 openssh-client_10.0p1-7+deb13u3_amd64.deb
 627f9db34aaa39fa108844b7bf4107196b7beaeca0b84210575fb4d0ecddfc12 2521804 openssh-server-dbgsym_10.0p1-7+deb13u3_amd64.deb
 36a7bd24a47639bbd442dc30ef7dae2355fe9490cca6e60602d8fc1c32dfe962 509372 openssh-server-udeb_10.0p1-7+deb13u3_amd64.udeb
 1c7b3e9aaf0ca1afe103c72dfe71ec630ca74d6195a492335e818b1e9d84decc 602148 openssh-server_10.0p1-7+deb13u3_amd64.deb
 214383c6eb1b96d07e9c7a8137c1e982ed68344a0ec2f407fea8a02f6eb6e7a2 168904 openssh-sftp-server-dbgsym_10.0p1-7+deb13u3_amd64.deb
 fbaafe58bfc071cfb3d98e7fcc65ae9f10abf7048760aa489ab6e75de29f7874 65356 openssh-sftp-server_10.0p1-7+deb13u3_amd64.deb
 dbb6f2d2bd0626e7c0cb4f1af2970e60bfb7d22bd656c50595251cb43544b797 3117840 openssh-tests-dbgsym_10.0p1-7+deb13u3_amd64.deb
 08b24dd76836229459aff5d9842687bed6c420fdc2cd77bcfae6ddf2fd181e9e 1034364 openssh-tests_10.0p1-7+deb13u3_amd64.deb
 275d41b402af2fb2a5c4bb76270c3cd4938aa2d0425413ded2e99141ad9b2d79 18750 openssh_10.0p1-7+deb13u3_amd64-buildd.buildinfo
 49a3b6becd8818fb20d7390b98022a8230a460f9575512fd6ce8d4622207666f 17268 ssh-askpass-gnome-dbgsym_10.0p1-7+deb13u3_amd64.deb
 6f3e9b764f305a8b17ebdd259e07bcaea960712f2a6203a853168fc5f8ee2d9e 157880 ssh-askpass-gnome_10.0p1-7+deb13u3_amd64.deb
Files:
 7728992714b453a1d1d72081586c886b 4058412 debug optional openssh-client-dbgsym_10.0p1-7+deb13u3_amd64.deb
 152d562e905a37d8f3ff1054e2e2faa6 393936 debian-installer optional openssh-client-udeb_10.0p1-7+deb13u3_amd64.udeb
 caad78ed5be384f1af34d8eaaba6c820 990460 net standard openssh-client_10.0p1-7+deb13u3_amd64.deb
 7febabe29c10ee2966d9a52c9e8a84c7 2521804 debug optional openssh-server-dbgsym_10.0p1-7+deb13u3_amd64.deb
 56324058c0311aa42f771b74a6c53521 509372 debian-installer optional openssh-server-udeb_10.0p1-7+deb13u3_amd64.udeb
 06f1e0e675e8468d0e5c12da1c1df9ef 602148 net optional openssh-server_10.0p1-7+deb13u3_amd64.deb
 40ed35e9d1ef7ad8f88ec0cf99d32f3b 168904 debug optional openssh-sftp-server-dbgsym_10.0p1-7+deb13u3_amd64.deb
 4beeab434f28cbf07477f4f7bd025cae 65356 net optional openssh-sftp-server_10.0p1-7+deb13u3_amd64.deb
 62541057fa3322c3a6ec1d9ad722e17a 3117840 debug optional openssh-tests-dbgsym_10.0p1-7+deb13u3_amd64.deb
 29ce5e64b01a56b6a95b65428f20fcd7 1034364 net optional openssh-tests_10.0p1-7+deb13u3_amd64.deb
 c58e2bc9bf10ab9c897e0f6a4de896d6 18750 net standard openssh_10.0p1-7+deb13u3_amd64-buildd.buildinfo
 35c8245ce1f2a731455a86285c7056c2 17268 debug optional ssh-askpass-gnome-dbgsym_10.0p1-7+deb13u3_amd64.deb
 b562cd14e3a2f6f86e586d97cfd747a9 157880 gnome optional ssh-askpass-gnome_10.0p1-7+deb13u3_amd64.deb

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEmtr4KUMaso2EQ6NrTwt/65ON6zcFAmn6O3gACgkQTwt/65ON
6zdo+Q//QTwUDH/RER7uT0FZBRvEX5cm7HCctAqfRrUYmm/JoV5iZq3lFe3778Or
Y1TTXBbcFQ1wWCoPDz9gQan0OC0iVZMm2VnD0s/4KnsGqIzQ+wlwIMK85iGVuChv
yzV+4f+yy4zwdhtjRFq5SdKGry5K1gEYSdKRytattekFSL9ZFVXP46vj+AbDTYcj
DxwP7ky+NAIPXIFiNqznjqNzX58sPkU/hnGbBeR9YarAqLaaCL4I6NaJ0RuJD1tG
hpbclHewDwy35rWQGVHkLVEYmCWBXT0YBTgMyMc77mGIBinA7VUOYHMOvCQmWMVF
+q3N+C6MovkLFOu//LZvfDlfpRdlt1D+7kr3sB1uf3fG3BBqVcGMYTLoXaKXvH4/
AigZTF7oWwTLbr/S92BwWF39hXm+iqWDcLfr/EAuvfJLADwJVXBG9t2cNnoil7VE
vQm1+9OL+pPh86kNVF7K260wE3jhx8kOpzZnn/vJhEhUSD86NuRRyO55UJ9BKyGo
wYUgLFkXuAvb5VaGRQ0ayoEzk9VjLUpWeI0Fz8/ik+LtzKFJuXUaD61kZHGnkjQ3
jaR7OlS15cRH6SmF1fuVoiTWSdyxjgHotBGVDyiczYNeIRPaROe4IxxaulNE795k
iNa42Cz5HNc25GnZNOBjnVRvhn+5YszXDVYD08HVT6tp/xn+ErY=
=q+K4
-----END PGP SIGNATURE-----