-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Tue, 05 May 2026 11:25:39 +0100
Source: openssh
Binary: openssh-client openssh-client-dbgsym openssh-client-udeb openssh-server openssh-server-dbgsym openssh-server-udeb openssh-sftp-server openssh-sftp-server-dbgsym openssh-tests openssh-tests-dbgsym ssh-askpass-gnome ssh-askpass-gnome-dbgsym
Architecture: riscv64
Version: 1:10.0p1-7+deb13u3
Distribution: trixie
Urgency: medium
Maintainer: riscv64 Build Daemon (rv-osuosl-02) <buildd_riscv64-rv-osuosl-02@buildd.debian.org>
Changed-By: Colin Watson <cjwatson@debian.org>
Description:
 openssh-client - secure shell (SSH) client, for secure access to remote machines
 openssh-client-udeb - secure shell client for the Debian installer (udeb)
 openssh-server - secure shell (SSH) server, for secure access from remote machines
 openssh-server-udeb - secure shell server for the Debian installer (udeb)
 openssh-sftp-server - secure shell (SSH) sftp server module, for SFTP access from remot
 openssh-tests - OpenSSH regression tests
 ssh-askpass-gnome - interactive X program to prompt users for a passphrase for ssh-ad
Closes: 1132572 1132573 1132574 1132575 1132576
Changes:
 openssh (1:10.0p1-7+deb13u3) trixie; urgency=medium
 .
   * Backport minor security fixes from 10.3p1:
     - ssh(1): the -J and equivalent -oProxyJump="..." options now validate
       user and host names for ProxyJump/-J options passed via the
       command-line (no such validation is performed for this option in
       configuration files). This prevents shell injection in situations
       where these were directly exposed to adversarial input, which would
       have been a terrible idea to begin with.
     - CVE-2026-35386: ssh(1): validation of shell metacharacters in user
       names supplied on the command-line was performed too late to prevent
       some situations where they could be expanded from %-tokens in
       ssh_config. For certain configurations, such as those that use a "%u"
       token in a "Match exec" block, an attacker who can control the user
       name passed to ssh(1) could potentially execute arbitrary shell
       commands. Reported by Florian Kohnhäuser (closes: #1132573).
       We continue to recommend against directly exposing ssh(1) and other
       tools' command-lines to untrusted input. Mitigations such as this can
       not be absolute given the variety of shells and user configurations in
       use.
     - CVE-2026-35414: sshd(8): when matching an authorized_keys
       principals="" option against a list of principals in a certificate, an
       incorrect algorithm was used that could allow inappropriate matching
       in cases where a principal name in the certificate contains a comma
       character. Exploitation of the condition requires an authorized_keys
       principals="" option that lists more than one principal *and* a CA
       that will issue a certificate that encodes more than one of these
       principal names separated by a comma (typical CAs strongly constrain
       which principal names they will place in a certificate). This
       condition only applies to user- trusted CA keys in authorized_keys,
       the main certificate authentication path
       (TrustedUserCAKeys/AuthorizedPrincipalsFile) is not affected. Reported
       by Vladimir Tokarev (closes: #1132576).
     - CVE-2026-35385: scp(1): when downloading files as root in legacy (-O)
       mode and without the -p (preserve modes) flag set, scp did not clear
       setuid/setgid bits from downloaded files as one might typically
       expect. This bug dates back to the original Berkeley rcp program.
       Reported by Christos Papakonstantinou of Cantina and Spearbit (closes:
       #1132572).
     - CVE-2026-35387: sshd(8): fix incomplete application of
       PubkeyAcceptedAlgorithms and HostbasedAcceptedAlgorithms with regard
       to ECDSA keys. Previously if one of these directives contains any
       ECDSA algorithm name (say "ecdsa-sha2-nistp384"), then any other ECDSA
       algorithm would be accepted in its place regardless of whether it was
       listed or not.  Reported by Christos Papakonstantinou of Cantina and
       Spearbit (closes: #1132574).
     - CVE-2026-35388: ssh(1): connection multiplexing confirmation
       (requested using "ControlMaster ask/autoask") was not being tested for
       proxy mode multiplexing sessions (i.e. "ssh -O proxy ..."). Reported
       by Michalis Vasileiadis (closes: #1132575).
   * Cherry-pick IPQoS handling updates from upstream:
     - Set default IPQoS for interactive sessions to Expedited Forwarding
       (EF).
     - Deprecate support for IPv4 type-of-service (TOS) IPQoS keywords.
     - Make ssh(1) and sshd(8) set IP QoS (aka IP_TOS, IPV6_TCLASS)
       continually at runtime based on what sessions/channels are open.
     - Correctly set extended type for client-side channels.  Fixes
       interactive vs bulk IPQoS for client->server traffic.
Checksums-Sha1:
 b50a40a39c001c57e30b16dd9cd2c0b6560b5172 3878112 openssh-client-dbgsym_10.0p1-7+deb13u3_riscv64.deb
 e147c416acc63c6f640e76b8f2fb6b7cd5493127 376424 openssh-client-udeb_10.0p1-7+deb13u3_riscv64.udeb
 34d9039cf92343b619885cb386f59bb01cd7587a 989272 openssh-client_10.0p1-7+deb13u3_riscv64.deb
 7fdb5ba2353323a6323ef3488ea93e63ddfa912d 2438504 openssh-server-dbgsym_10.0p1-7+deb13u3_riscv64.deb
 f80d4010d7629d98b5244624286ede7c32adbb2e 498240 openssh-server-udeb_10.0p1-7+deb13u3_riscv64.udeb
 e1572bc5ffba42b3a0e7d0302994dae39c24b1db 604900 openssh-server_10.0p1-7+deb13u3_riscv64.deb
 6a1285ddfc3463943fbcddd25c8ec1b190e3577e 165136 openssh-sftp-server-dbgsym_10.0p1-7+deb13u3_riscv64.deb
 ef1504ef85771248306973064d684f6fb61b04de 65444 openssh-sftp-server_10.0p1-7+deb13u3_riscv64.deb
 4417f887cc236b7a92b043cde911db1569745d9f 2965108 openssh-tests-dbgsym_10.0p1-7+deb13u3_riscv64.deb
 7a531f059d2a5da5392020d8061ee89e07011b8f 1237028 openssh-tests_10.0p1-7+deb13u3_riscv64.deb
 b02efcf91589307703b1368cecc7947083e3e34f 18720 openssh_10.0p1-7+deb13u3_riscv64-buildd.buildinfo
 c85c3d820640739c5ab45621dd15316416e9f0b9 17140 ssh-askpass-gnome-dbgsym_10.0p1-7+deb13u3_riscv64.deb
 1798d43b24464f35eaf27fa64fa77896bc7d90d7 157492 ssh-askpass-gnome_10.0p1-7+deb13u3_riscv64.deb
Checksums-Sha256:
 9483fd4a18dc95db1d94956691e2da302544f59358f06146aeecf96eb088c1e4 3878112 openssh-client-dbgsym_10.0p1-7+deb13u3_riscv64.deb
 323768e3961757dd69128e6233e8244fdfd6dbf01c0ff7ba663d0d8957436478 376424 openssh-client-udeb_10.0p1-7+deb13u3_riscv64.udeb
 906d744b83339f4231b3b04dadcb6b233deb9c93baabb096868b3bad52f4ba88 989272 openssh-client_10.0p1-7+deb13u3_riscv64.deb
 faa38a187db1bee473efc75ca8978321ae61fca83c9c6c121d9bc194dd068059 2438504 openssh-server-dbgsym_10.0p1-7+deb13u3_riscv64.deb
 df0d4c41942af426a79ce4622fe741c54931263f1970097bb181d522e5cb5f6a 498240 openssh-server-udeb_10.0p1-7+deb13u3_riscv64.udeb
 61e0e89844a9d07b6d9d99547e120b46a1468269433afe338b48bf4110e9f01d 604900 openssh-server_10.0p1-7+deb13u3_riscv64.deb
 b29518a4e7acc24f0d7c7cf2d283ecb73ffd87003685319fa68e72092e6ce0ac 165136 openssh-sftp-server-dbgsym_10.0p1-7+deb13u3_riscv64.deb
 2d9323d58996c528d053babbd1025634f64823fdaebb85ec4c3868e8c528445f 65444 openssh-sftp-server_10.0p1-7+deb13u3_riscv64.deb
 b52ee0ecc2e6f9631d1b50954cd984e28c8695ee97f898ca1f032724ee0082ba 2965108 openssh-tests-dbgsym_10.0p1-7+deb13u3_riscv64.deb
 f4efc3b76f735c36cb06d29769ee2dcec2188076db8f2b791cc2a289f04937c8 1237028 openssh-tests_10.0p1-7+deb13u3_riscv64.deb
 774a2bf3ed6d28e6d701c6b224f016594f54cafad1fe44f1a33c828b3b1a4896 18720 openssh_10.0p1-7+deb13u3_riscv64-buildd.buildinfo
 6d2805d92e293a21d1a5b544d441aad594d6eb5340adbbc167139fa75f7ef5f5 17140 ssh-askpass-gnome-dbgsym_10.0p1-7+deb13u3_riscv64.deb
 02bcd01cac270ed27da374d6e3b24de30c5da72e3123eaed3ad8ea5e9918e3c9 157492 ssh-askpass-gnome_10.0p1-7+deb13u3_riscv64.deb
Files:
 a91e347f3f55217fe07b6fffb5006fae 3878112 debug optional openssh-client-dbgsym_10.0p1-7+deb13u3_riscv64.deb
 afdf79a32f9e8486966a67d0f7d02f8c 376424 debian-installer optional openssh-client-udeb_10.0p1-7+deb13u3_riscv64.udeb
 06d22577d94453b085b872c9f3d654cc 989272 net standard openssh-client_10.0p1-7+deb13u3_riscv64.deb
 5dd9ef7979817f5bb1781c67d7fd8274 2438504 debug optional openssh-server-dbgsym_10.0p1-7+deb13u3_riscv64.deb
 e70a73d3d9d844c5dbfbb8e62f91dde8 498240 debian-installer optional openssh-server-udeb_10.0p1-7+deb13u3_riscv64.udeb
 7c55d132a3314f9e8d58f509cfe993ac 604900 net optional openssh-server_10.0p1-7+deb13u3_riscv64.deb
 ac2291628e4ba84a739d6c0f47564ba2 165136 debug optional openssh-sftp-server-dbgsym_10.0p1-7+deb13u3_riscv64.deb
 3d8468afc241c6ce8a7db79690ba1a21 65444 net optional openssh-sftp-server_10.0p1-7+deb13u3_riscv64.deb
 dae86a9fcd6091a9268b86ba9340958d 2965108 debug optional openssh-tests-dbgsym_10.0p1-7+deb13u3_riscv64.deb
 ee20689ebbc9c64d2fe595fe0ca22af5 1237028 net optional openssh-tests_10.0p1-7+deb13u3_riscv64.deb
 1e4490ffefe606c6007a2d0b7efa9e25 18720 net standard openssh_10.0p1-7+deb13u3_riscv64-buildd.buildinfo
 27b423121824deeb7f345ebfbd4303ab 17140 debug optional ssh-askpass-gnome-dbgsym_10.0p1-7+deb13u3_riscv64.deb
 c00f0461d8d7595ae6e8f049e177ea90 157492 gnome optional ssh-askpass-gnome_10.0p1-7+deb13u3_riscv64.deb

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEE/AxPdLOtOshqz3vw/Fc5EAGpa+sFAmn6RJ8ACgkQ/Fc5EAGp
a+sqMxAArB5lDjMu8e5sHrUOD4/BzugQ0MNUIni74prasvuyi3DwbIf8QpKatHGt
AI1znoB9MgoBcG2wdWC7se8r623SW9DCxhddTSO1/6uFg4mAwIdO7k6kTZYxG4jW
AoQl3iIESsOyWXn+eUb4U7FUKmm+RHk5vwoqIrbHAy1/cJ1ysRkUdRbIi8ZjgFPG
C8cIhd1R2t6WyI86VcMSpSOEGZxYB9DKqWVJyYiLl4DRdgg3kYAHjX3D92O/VcbB
ellAc6HE/e07EooF/n6Zo6R0v1AyiTrSilfJnIIah7e/YteAO7FsFPBQ9EqGk3Cz
lLzGf1X86QLd4trrXoTGpMPqWXSKiQS2W3+SpisE404O/m/mTmspvUbb6R660aU6
cAtYkgQ31dvbWKrW9GJhhnp3FUBQnbVRalk6ehfscVomlWdy5LvG8SF2JvnB7rGt
giLo4oGGgmbHUfkmkp7/0uuBhyCNYyXwJjbZbxmSYJpA7HhvqiagT6VBfXmFMtgk
pjPNIc7cbw8f58v+MDSKqpwQ0E0ZgpUFOXl+Waf6yNGjTcxxzyswT2bSaBMG8waD
EI26tiBOJfalEA/TKhM9BFyX98HiNthErjFVDfrDYYjiajo5kE7uO/4zUY3o8kWY
iSWWzDi6In3UdKhIsbdSaPEjkrNkFEMnOy7k5DQygeEC/77f+cE=
=T+lP
-----END PGP SIGNATURE-----