Debian Package Tracker

From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
To: <debian-lts-changes@lists.debian.org> , <dispatch@tracker.debian.org>
Subject: Accepted openssh 1:8.4p1-5+deb11u7 (source) into oldoldstable-security
Date: Fri, 15 May 2026 16:40:18 +0000
Signed by: Santiago Ruano Rincón <santiago@debian.org>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Fri, 15 May 2026 13:06:31 +0100
Source: openssh
Architecture: source
Version: 1:8.4p1-5+deb11u7
Distribution: bullseye-security
Urgency: medium
Maintainer: Debian OpenSSH Maintainers <debian-ssh@lists.debian.org>
Changed-By: Colin Watson <cjwatson@debian.org>
Closes: 1117529 1117530 1132572 1132573 1132574 1132575 1132576
Changes:
 openssh (1:8.4p1-5+deb11u7) bullseye-security; urgency=medium
 .
   * CVE-2025-61984: ssh(1): disallow control characters in usernames passed
     via the commandline (closes: #1117529).
   * CVE-2025-61985: ssh(1): disallow \0 characters in ssh:// URIs (closes:
     #1117530).
   * Backport minor security fixes from 10.3p1:
     - ssh(1): the -J and equivalent -oProxyJump="..." options now validate
       user and host names for ProxyJump/-J options passed via the
       command-line (no such validation is performed for this option in
       configuration files). This prevents shell injection in situations
       where these were directly exposed to adversarial input, which would
       have been a terrible idea to begin with.
     - CVE-2026-35386: ssh(1): validation of shell metacharacters in user
       names supplied on the command-line was performed too late to prevent
       some situations where they could be expanded from %-tokens in
       ssh_config. For certain configurations, such as those that use a "%u"
       token in a "Match exec" block, an attacker who can control the user
       name passed to ssh(1) could potentially execute arbitrary shell
       commands. Reported by Florian Kohnhäuser (closes: #1132573).
       We continue to recommend against directly exposing ssh(1) and other
       tools' command-lines to untrusted input. Mitigations such as this can
       not be absolute given the variety of shells and user configurations in
       use.
     - CVE-2026-35414: sshd(8): when matching an authorized_keys
       principals="" option against a list of principals in a certificate, an
       incorrect algorithm was used that could allow inappropriate matching
       in cases where a principal name in the certificate contains a comma
       character. Exploitation of the condition requires an authorized_keys
       principals="" option that lists more than one principal *and* a CA
       that will issue a certificate that encodes more than one of these
       principal names separated by a comma (typical CAs strongly constrain
       which principal names they will place in a certificate). This
       condition only applies to user- trusted CA keys in authorized_keys,
       the main certificate authentication path
       (TrustedUserCAKeys/AuthorizedPrincipalsFile) is not affected. Reported
       by Vladimir Tokarev (closes: #1132576).
     - CVE-2026-35385: scp(1): when downloading files as root in legacy (-O)
       mode and without the -p (preserve modes) flag set, scp did not clear
       setuid/setgid bits from downloaded files as one might typically
       expect. This bug dates back to the original Berkeley rcp program.
       Reported by Christos Papakonstantinou of Cantina and Spearbit (closes:
       #1132572).
     - CVE-2026-35387: sshd(8): fix incomplete application of
       PubkeyAcceptedAlgorithms and HostbasedAcceptedAlgorithms with regard
       to ECDSA keys. Previously if one of these directives contains any
       ECDSA algorithm name (say "ecdsa-sha2-nistp384"), then any other ECDSA
       algorithm would be accepted in its place regardless of whether it was
       listed or not.  Reported by Christos Papakonstantinou of Cantina and
       Spearbit (closes: #1132574).
     - CVE-2026-35388: ssh(1): connection multiplexing confirmation
       (requested using "ControlMaster ask/autoask") was not being tested for
       proxy mode multiplexing sessions (i.e. "ssh -O proxy ..."). Reported
       by Michalis Vasileiadis (closes: #1132575).
Checksums-Sha1:
 a1288bd2fee33331d027ac44b5a948d58b995b97 2734 openssh_8.4p1-5+deb11u7.dsc
 69305059e10a60693ebe6f17731f962c9577535c 1742201 openssh_8.4p1.orig.tar.gz
 323573568682eac265e1f69206bc98149a8e423e 683 openssh_8.4p1.orig.tar.gz.asc
 9e358c0f460741feb35d93d9d81ffaec3a62e347 195772 openssh_8.4p1-5+deb11u7.debian.tar.xz
 a9ee487f0be0a1fe878f3c31c64dc1bb2cfe7359 5795 openssh_8.4p1-5+deb11u7_source.buildinfo
Checksums-Sha256:
 f5379af4233695600b4543f0d6fa037bd94ee71e23454cb80c397ab78b3db12a 2734 openssh_8.4p1-5+deb11u7.dsc
 5a01d22e407eb1c05ba8a8f7c654d388a13e9f226e4ed33bd38748dafa1d2b24 1742201 openssh_8.4p1.orig.tar.gz
 ccd9dd484651ce4cc926228f6e1b46afaf0c5ab98a866217fa0ef1074370ea2b 683 openssh_8.4p1.orig.tar.gz.asc
 224924f0f9cdb4ab682808e9e547bdb9fae9e5ebffe95b861d352a0b877d9b94 195772 openssh_8.4p1-5+deb11u7.debian.tar.xz
 6a3d5f4f90cb59608449a75a87b253704c53d068a32ad85299bb5e20d8f87078 5795 openssh_8.4p1-5+deb11u7_source.buildinfo
Files:
 0ccac117f4037679b2dce79b8f5f2b4a 2734 net standard openssh_8.4p1-5+deb11u7.dsc
 8f897870404c088e4aa7d1c1c58b526b 1742201 net standard openssh_8.4p1.orig.tar.gz
 715c219a524631139bafa8a351cf44e7 683 net standard openssh_8.4p1.orig.tar.gz.asc
 8815f9b5681e705ad7fb60f21327a875 195772 net standard openssh_8.4p1-5+deb11u7.debian.tar.xz
 0ed0eecf87fc3a6392fb1dc08d934588 5795 net standard openssh_8.4p1-5+deb11u7_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iHUEARYKAB0WIQR+lHTq7mkJOyB6t2Un3j1FEEiG7wUCagdHGQAKCRAn3j1FEEiG
78X0APoC6L/6l1hJmF4oay1CPrk1bdXGtVtjajoiq8Vo0/17UwD/T7Lsja1NxBla
ds5cWDSdUyuLLQxQVA/LUgzOK5RnDQs=
=brLN
-----END PGP SIGNATURE-----
News for package openssh
