Accepted openssh 1:10.1p1-1 (source) into unstable

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Tue, 07 Oct 2025 22:07:19 +0100
Source: openssh
Architecture: source
Version: 1:10.1p1-1
Distribution: unstable
Urgency: medium
Maintainer: Debian OpenSSH Maintainers <debian-ssh@lists.debian.org>
Changed-By: Colin Watson <cjwatson@debian.org>
Closes: 1095922 1111446 1117529 1117530
Changes:
 openssh (1:10.1p1-1) unstable; urgency=medium
 .
   [ Allison Karlitskaya ]
   * sshd@.service: Support ephemeral keys from VM/container hosts.
 .
   [ Colin Watson ]
   * New upstream release:
     - ssh(1): add a warning when the connection negotiates a non-post
       quantum key agreement algorithm.
     - ssh(1), sshd(8): major changes to handling of DSCP marking/IPQoS: by
       default, interactive traffic is assigned to the EF (Expedited
       Forwarding) class, while non-interactive traffic uses the operating
       system default DSCP marking.
     - ssh(1), sshd(8): deprecate support for IPv4 type-of-service (ToS)
       keywords in the IPQoS configuration directive.
     - ssh-add(1): when adding certificates to an agent, set the expiry to
       the certificate expiry time plus a short (5 min) grace period.
     - All: remove experimental support for XMSS keys.
     - ssh-agent(1), sshd(8): move agent listener sockets from /tmp to under
       ~/.ssh/agent for both ssh-agent(1) and forwarded sockets in sshd(8).
     - CVE-2025-61984: ssh(1): disallow control characters in usernames
       passed via the commandline or expanded using %-sequences from the
       configuration file (closes: #1117529),
     - CVE-2025-61985: ssh(1): disallow \0 characters in ssh:// URIs (closes:
       #1117530).
     - ssh(1), sshd(8): add SIGINFO handlers to log active channel and
       session information.
     - sshd(8): when refusing a certificate for user authentication, log
       enough information to identify the certificate in addition to the
       reason why it was being denied. Makes debugging certificate
       authorisation problems a bit easier.
     - ssh(1), ssh-agent(1): support ed25519 keys hosted on PKCS#11 tokens.
     - ssh(1): add an ssh_config(5) RefuseConnection option that, when
       encountered while processing an active section in a configuration,
       terminates ssh(1) with an error message that contains the argument to
       the option.
     - sshd(8): make the X11 display number check relative to
       X11DisplayOffset. This will allow people to use X11DisplayOffset to
       configure much higher port ranges if they really want, while not
       changing the default behaviour.
     - ssh(1): fix delay on X client startup when ObscureKeystrokeTiming is
       enabled.
     - sshd(8): increase the maximum size of the supported configuration from
       256KB to 4MB, which ought to be enough for anybody. Fail early and
       visibly when this limit is breached.
     - sftp(1): during sftp uploads, avoid a condition where a failed write
       could be ignored if a subsequent write succeeded. This is unlikely but
       technically possible because sftp servers are allowed to reorder
       requests.
     - sshd(8): avoid a race condition when the sshd-auth process exits that
       could cause a spurious error message to be logged.
     - sshd(8): log at level INFO when PerSourcePenalties actually blocks
       access to a source address range. Previously this was logged at level
       VERBOSE, which hid enforcement actions under default config settings.
     - sshd(8): Make the MaxStartups and PerSourceNetBlockSize options
       first-match-wins as advertised.
     - ssh(1): fix an incorrect return value check in the local forward
       cancellation path that would cause failed cancellations not to be
       logged.
     - sshd(8): make "Match !final" not trigger a second parsing pass of
       ssh_config (unless hostname canonicalisation or a separate "Match
       final" does).
     - ssh(1): better debug diagnostics when loading keys. Will now list key
       fingerprint and algorithm (not just algorithm number) as well as
       making it explicit which keys didn't load.
     - All: fix a number of memory leaks found by LeakSanitizer, Coverity and
       manual inspection.
     - sshd(8): Output the current name for PermitRootLogin's
       "prohibit-password" in sshd -T instead of its deprecated alias
       "without-password" (closes: #1095922).
     - ssh(1): make writing known_hosts lines more atomic by writing the
       entire line in one operation and using unbuffered stdio.
     - sshd(8): check the username didn't change during the PAM transactions.
     - sshd(8): don't log audit messages with UNKNOWN hostname to avoid slow
       DNS lookups in the audit subsystem.
     - All: when making a copy of struct passwd, ensure struct fields are
       non-NULL.
     - sshd(8): handle futex_time64 properly in seccomp sandbox.
     - Add contrib/gnome-ssh-askpass4 for GNOME 40+ using the GCR API.
     - ssh-agent(1): exit 0 from SIGTERM under systemd socket-activation,
       preventing a graceful shutdown of an agent via systemd from
       incorrectly marking the service as "failed".
   * Drop patches:
     - no-openssl-version-status.patch: Mostly applied upstream; the rest
       only applied to OpenSSL < 3, which isn't relevant to current Debian
       releases.
     - revert-ipqos-defaults.patch: This new upstream release reworks IPQoS,
       so let's see how that works in Debian (closes: #1111446).
   * debian/run-tests: Fix path to dropbear.
Checksums-Sha1:
 30e42189cb7b9c75cddb4523baa1d53bc2228e53 3500 openssh_10.1p1-1.dsc
 7fd17b99d1beffb47cd380d64079e920bb0bd91f 1972831 openssh_10.1p1.orig.tar.gz
 3067baf706cbf8497a00d40113eb6c246a5db569 833 openssh_10.1p1.orig.tar.gz.asc
 3965f1ff2d72d73966fa8fa517a996a7afcbcad7 199172 openssh_10.1p1-1.debian.tar.xz
Checksums-Sha256:
 b9f358bcbe0e780865dbb5733be37f68b72d4c8574a932dac389f98352af6a7c 3500 openssh_10.1p1-1.dsc
 b9fc7a2b82579467a6f2f43e4a81c8e1dfda614ddb4f9b255aafd7020bbf0758 1972831 openssh_10.1p1.orig.tar.gz
 a96151c3f5d5b4b6278a4f5b29861c1308c3a0b96c9acfcec5aaeef0bb84ea92 833 openssh_10.1p1.orig.tar.gz.asc
 f4b7f3687e1139757f0e0dbee03c3627421444caa68eeacc6df098d6e3c17d59 199172 openssh_10.1p1-1.debian.tar.xz
Files:
 a276fcc4f45b9aedc428479a0d71369d 3500 net standard openssh_10.1p1-1.dsc
 80dd9bb00a86519934710d05903fdf07 1972831 net standard openssh_10.1p1.orig.tar.gz
 97c2579d423ce6397bba2eee504a3ec1 833 net standard openssh_10.1p1.orig.tar.gz.asc
 631d8f12ef92841a9004e144141f1d96 199172 net standard openssh_10.1p1-1.debian.tar.xz

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEErApP8SYRtvzPAcEROTWH2X2GUAsFAmjlgTcACgkQOTWH2X2G
UAsSRBAArMXDacvEfXFuCAy5bFCatDzUGNF9TqOnLYR2P51bGipCjIUbcnCwPhhN
7KmvVp7nQ0lzTl6C5BuQ5t658feb9Msnd+/PGboeIvfl8oy5Wul8zyf9EBHK9yIt
78psiPXv+3q21yvV2uJzKpWt3LDaE2RcVYqBYKehgIpDCKSVTk6OH0FnZIsIAKsR
nY6yG3IBfxjFP4iGkV3TuzrWLhrdrFHaPLWuDB2bxItmkhhKZL+JEuu64KwtLkIa
eoR/81lDOsyxTZuQDuLFkUv2c8TGbzagdXrblDay344fIYsrlzS8IFvwy5n1Vo1F
8KWwV2mDB59Adn85FANgYdymQzitDxKkqqWNn+f9SXd85HbJgTykVOwA3sbwMouC
DP0IWdchoTl8fWytTTHWyMuNDg7s9w/CzRffhpco9Ura74qPPXNr7yG6bFhFk/cR
UQzbzaz5wLnQlT9Nj9kupriKyf1CMeoPk9htZ+m+3jbBagA4KFA3sWWlgwF+nQig
cjAzCC7vlk+A/5cZKPDrN+OIMMRQnMbPbC22bW2W3aXyABeh5y9brqHbNtE/TccG
DrOYY/zOcQWySRxpRqPu6k3Q5pToinLJRC1CipcX1Xkrv89JA4NM1e9KdODzPPu3
X6bXUfYXk6BGJaNr7JQh0hKt3swrQ2EauQsPFI6a5ydxT8275vs=
=sYUq
-----END PGP SIGNATURE-----