-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Tue, 05 May 2026 11:25:39 +0100
Source: openssh
Binary: openssh-client openssh-client-dbgsym openssh-client-udeb openssh-server openssh-server-dbgsym openssh-server-udeb openssh-sftp-server openssh-sftp-server-dbgsym openssh-tests openssh-tests-dbgsym ssh-askpass-gnome ssh-askpass-gnome-dbgsym
Architecture: i386
Version: 1:10.0p1-7+deb13u3
Distribution: trixie
Urgency: medium
Maintainer: i386 Build Daemon (x86-grnet-01) <buildd_amd64-x86-grnet-01@buildd.debian.org>
Changed-By: Colin Watson <cjwatson@debian.org>
Description:
 openssh-client - secure shell (SSH) client, for secure access to remote machines
 openssh-client-udeb - secure shell client for the Debian installer (udeb)
 openssh-server - secure shell (SSH) server, for secure access from remote machines
 openssh-server-udeb - secure shell server for the Debian installer (udeb)
 openssh-sftp-server - secure shell (SSH) sftp server module, for SFTP access from remot
 openssh-tests - OpenSSH regression tests
 ssh-askpass-gnome - interactive X program to prompt users for a passphrase for ssh-ad
Closes: 1132572 1132573 1132574 1132575 1132576
Changes:
 openssh (1:10.0p1-7+deb13u3) trixie; urgency=medium
 .
   * Backport minor security fixes from 10.3p1:
     - ssh(1): the -J and equivalent -oProxyJump="..." options now validate
       user and host names for ProxyJump/-J options passed via the
       command-line (no such validation is performed for this option in
       configuration files). This prevents shell injection in situations
       where these were directly exposed to adversarial input, which would
       have been a terrible idea to begin with.
     - CVE-2026-35386: ssh(1): validation of shell metacharacters in user
       names supplied on the command-line was performed too late to prevent
       some situations where they could be expanded from %-tokens in
       ssh_config. For certain configurations, such as those that use a "%u"
       token in a "Match exec" block, an attacker who can control the user
       name passed to ssh(1) could potentially execute arbitrary shell
       commands. Reported by Florian Kohnhäuser (closes: #1132573).
       We continue to recommend against directly exposing ssh(1) and other
       tools' command-lines to untrusted input. Mitigations such as this can
       not be absolute given the variety of shells and user configurations in
       use.
     - CVE-2026-35414: sshd(8): when matching an authorized_keys
       principals="" option against a list of principals in a certificate, an
       incorrect algorithm was used that could allow inappropriate matching
       in cases where a principal name in the certificate contains a comma
       character. Exploitation of the condition requires an authorized_keys
       principals="" option that lists more than one principal *and* a CA
       that will issue a certificate that encodes more than one of these
       principal names separated by a comma (typical CAs strongly constrain
       which principal names they will place in a certificate). This
       condition only applies to user- trusted CA keys in authorized_keys,
       the main certificate authentication path
       (TrustedUserCAKeys/AuthorizedPrincipalsFile) is not affected. Reported
       by Vladimir Tokarev (closes: #1132576).
     - CVE-2026-35385: scp(1): when downloading files as root in legacy (-O)
       mode and without the -p (preserve modes) flag set, scp did not clear
       setuid/setgid bits from downloaded files as one might typically
       expect. This bug dates back to the original Berkeley rcp program.
       Reported by Christos Papakonstantinou of Cantina and Spearbit (closes:
       #1132572).
     - CVE-2026-35387: sshd(8): fix incomplete application of
       PubkeyAcceptedAlgorithms and HostbasedAcceptedAlgorithms with regard
       to ECDSA keys. Previously if one of these directives contains any
       ECDSA algorithm name (say "ecdsa-sha2-nistp384"), then any other ECDSA
       algorithm would be accepted in its place regardless of whether it was
       listed or not.  Reported by Christos Papakonstantinou of Cantina and
       Spearbit (closes: #1132574).
     - CVE-2026-35388: ssh(1): connection multiplexing confirmation
       (requested using "ControlMaster ask/autoask") was not being tested for
       proxy mode multiplexing sessions (i.e. "ssh -O proxy ..."). Reported
       by Michalis Vasileiadis (closes: #1132575).
   * Cherry-pick IPQoS handling updates from upstream:
     - Set default IPQoS for interactive sessions to Expedited Forwarding
       (EF).
     - Deprecate support for IPv4 type-of-service (TOS) IPQoS keywords.
     - Make ssh(1) and sshd(8) set IP QoS (aka IP_TOS, IPV6_TCLASS)
       continually at runtime based on what sessions/channels are open.
     - Correctly set extended type for client-side channels.  Fixes
       interactive vs bulk IPQoS for client->server traffic.
Checksums-Sha1:
 1bab65b443f5ab72078a56006df67b1cd8a55d2f 3448504 openssh-client-dbgsym_10.0p1-7+deb13u3_i386.deb
 c440487a4498a71498af542c8f5977f2e181579e 369900 openssh-client-udeb_10.0p1-7+deb13u3_i386.udeb
 0f52252901507ee8d43de2cf376655754fd92162 1017208 openssh-client_10.0p1-7+deb13u3_i386.deb
 caf4c1d05ac0c01a2473c622aed152919b47efe5 2161788 openssh-server-dbgsym_10.0p1-7+deb13u3_i386.deb
 3d2f9208a0de5b31064277c8102f50d32dc92f59 485756 openssh-server-udeb_10.0p1-7+deb13u3_i386.udeb
 44afb668ffe7819dc951c4dfaa8e6ee8a608ea36 618676 openssh-server_10.0p1-7+deb13u3_i386.deb
 5e0b30fe35b77ed17cb2e824991f3368e3085d00 143880 openssh-sftp-server-dbgsym_10.0p1-7+deb13u3_i386.deb
 c382a6f85e3d5e31bec4f6e88a685be6346aec35 70112 openssh-sftp-server_10.0p1-7+deb13u3_i386.deb
 1671f3ee1cbfb1ab9cd6f50ff1f79e85799425a6 2573824 openssh-tests-dbgsym_10.0p1-7+deb13u3_i386.deb
 91a0ab4c34dc88e13bbbc9c2db133df34dbbaa27 1015172 openssh-tests_10.0p1-7+deb13u3_i386.deb
 8b1382ba1c868ce3fd6e6eae21304788fc65622f 18624 openssh_10.0p1-7+deb13u3_i386-buildd.buildinfo
 a58a22d7622697fe8878dcd060a8cf41b557b5e2 16372 ssh-askpass-gnome-dbgsym_10.0p1-7+deb13u3_i386.deb
 31835a26a268ce4a7ce527c609440f56b8e8b88d 157932 ssh-askpass-gnome_10.0p1-7+deb13u3_i386.deb
Checksums-Sha256:
 ce75cec652ed965061b806ea5dde33cd7ea5c66de13e503a01ee061536b475b7 3448504 openssh-client-dbgsym_10.0p1-7+deb13u3_i386.deb
 c3ea4d0cbadde3bbdc901e54f5ad566c7f6a42447fc534a8d1a462250fe85ae6 369900 openssh-client-udeb_10.0p1-7+deb13u3_i386.udeb
 58176dbaab59c822bac6d105bc386abacbb31b890e598f90a3aa79a04c3f9c92 1017208 openssh-client_10.0p1-7+deb13u3_i386.deb
 5fc6b1ef3e562f0f6fc20c7e73509c1e8517a0602db888f9697a4cd82029d2ae 2161788 openssh-server-dbgsym_10.0p1-7+deb13u3_i386.deb
 4822c28120268910f2c498a600cf588b7ca4184f7042873602ee2bc9f42f4e55 485756 openssh-server-udeb_10.0p1-7+deb13u3_i386.udeb
 18657e7338b535a0e81d98ad147572f145c79c7f5bed5b49865f8e8b394e78f3 618676 openssh-server_10.0p1-7+deb13u3_i386.deb
 42879efe58de9580169c49bfaf5518109afbf21fe1d92c35c2d588c4b926f343 143880 openssh-sftp-server-dbgsym_10.0p1-7+deb13u3_i386.deb
 a4f02029cdd0b83de2c013dba430cac040d9a5a821291941199295f578bbfcf9 70112 openssh-sftp-server_10.0p1-7+deb13u3_i386.deb
 cbdcf7de7c7452ed06d87df76a33a825d743890c0086f45ae5fc853116912ea6 2573824 openssh-tests-dbgsym_10.0p1-7+deb13u3_i386.deb
 175ff6c55b0243ac2b9d665b412e950332a328929a6d59059c17e50a69caf217 1015172 openssh-tests_10.0p1-7+deb13u3_i386.deb
 27506a1ae5568ef9c53d419411ba0f95b5ebc7aca3ada5705dcaaf26c9777c6c 18624 openssh_10.0p1-7+deb13u3_i386-buildd.buildinfo
 237b3267eb810b4d2b718ee9f24b68a7086286b89f1cb587eb3df42a67951d44 16372 ssh-askpass-gnome-dbgsym_10.0p1-7+deb13u3_i386.deb
 96c9d2921930bd55859ac862a8427e6dc85c2ef8ee439ac312013e7f099a6e56 157932 ssh-askpass-gnome_10.0p1-7+deb13u3_i386.deb
Files:
 2382ba118e824f5b0fc75e4a554beaab 3448504 debug optional openssh-client-dbgsym_10.0p1-7+deb13u3_i386.deb
 39ec860c4e3a2f93f2b6c4917163be6c 369900 debian-installer optional openssh-client-udeb_10.0p1-7+deb13u3_i386.udeb
 2f058b4fba6f422861bc3b3a2a84dd94 1017208 net standard openssh-client_10.0p1-7+deb13u3_i386.deb
 88860aa455f614e7b97cc24b501b47d1 2161788 debug optional openssh-server-dbgsym_10.0p1-7+deb13u3_i386.deb
 aa719023690452c01dc56cf46a683140 485756 debian-installer optional openssh-server-udeb_10.0p1-7+deb13u3_i386.udeb
 4cfcacecd0f48401483ef3476a5ba7b8 618676 net optional openssh-server_10.0p1-7+deb13u3_i386.deb
 8250571453f864ab3f322af7e3e26cdd 143880 debug optional openssh-sftp-server-dbgsym_10.0p1-7+deb13u3_i386.deb
 f7f030bad6b444f24bba11ced490c00b 70112 net optional openssh-sftp-server_10.0p1-7+deb13u3_i386.deb
 c95a0e9ae3dcbe762884d1a2ba816417 2573824 debug optional openssh-tests-dbgsym_10.0p1-7+deb13u3_i386.deb
 7f50c22b06e68ec03024df50a2d6d348 1015172 net optional openssh-tests_10.0p1-7+deb13u3_i386.deb
 4b16b7b64e6915a7b54c8e99481e2d73 18624 net standard openssh_10.0p1-7+deb13u3_i386-buildd.buildinfo
 89c62c167dccb0a5399561e1d6999ce3 16372 debug optional ssh-askpass-gnome-dbgsym_10.0p1-7+deb13u3_i386.deb
 5989f7c21eed2bf21926977afdd0b86b 157932 gnome optional ssh-askpass-gnome_10.0p1-7+deb13u3_i386.deb

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEPAUaMA0H0rOy6qBWf2INRiCdaWIFAmn6PBsACgkQf2INRiCd
aWKttg//cguJtu8Fkuk6Akygjpf9ttBFKUyMHm4W4ZPk4/Lg7w3e1E0BrunebSt+
pQaQ/EjQsdmAu47toUA2IqX/CgKM58VdXXWaeDbmn+sU+wT4lcKVxqJ1ZsPUcoBM
LUddLwiiks3hVoQYaQ+6aM6eWNGOHmB3VO0E21uT4qUzkGak6fqe2zQVf7bPZuGD
8ECL+ELTFab+t1lOiud4qNEukN9l33hBJN2uFVp2bmZKPmJstsKIqwgwPx+1u7b2
pgsOjlqN1vZ//NhEwNDTGiYQ229upmfr83rMH+dlNadLb5AAuluIoylDGnhw/owR
8mPc04sdM3Jx/FumgunsMLIaMF8xfkX4CSphKmz42jMHWp0uGNuU1JYheIdRtLj8
NjhtmoVHkE7r8S2dpbAAZtGBPgPT7LdB0LacuIRdtUgpD0J+n3matDvBVIn3CihO
9y5POYPI0m3RYrTaItGNuH++0YYUIUqmOgQ3KLRniPT4AmNOeMRgFLpKMgTsT9p6
s6KbIs75KwYZyszqPj7VBz/gdK8bB4BPk0uA6CxQ5jMhSSkFhwVNCfZIU3CwQP4Z
S2srRDgWIzmHHKCtPXYO3syJ79KXm8CfPCm3INZ8/eeuMMlKvlvXXbL0XBPmGNEH
3jbFc2xopNLeSxUbCiXAcnex0zSmKzWmuYGybNmbcyU3HpLJKqI=
=JBlq
-----END PGP SIGNATURE-----