There are 5 open security issues in bookworm.
5 issues left for the package maintainer to handle:
- CVE-2026-35385:
(needs triaging)
In OpenSSH before 10.3, a file downloaded by scp may be installed setuid or setgid, an outcome contrary to some users' expectations, if the download is performed as root with -O (legacy scp protocol) and without -p (preserve mode).
- CVE-2026-35386:
(needs triaging)
In OpenSSH before 10.3, command execution can occur via shell metacharacters in a username within a command line. This requires a scenario where the username on the command line is untrusted, and also requires a non-default configurations of % in ssh_config.
- CVE-2026-35387:
(needs triaging)
OpenSSH before 10.3 can use unintended ECDSA algorithms. Listing of any ECDSA algorithm in PubkeyAcceptedAlgorithms or HostbasedAcceptedAlgorithms is misinterpreted to mean all ECDSA algorithms.
- CVE-2026-35388:
(needs triaging)
OpenSSH before 10.3 omits connection multiplexing confirmation for proxy-mode multiplexing sessions.
- CVE-2026-35414:
(needs triaging)
OpenSSH before 10.3 mishandles the authorized_keys principals option in uncommon scenarios involving a principals list in conjunction with a Certificate Authority that makes certain use of comma characters.
You can find information about how to handle these issues in the security team's documentation.
![[bug history graph]](https://qa.debian.org/data/bts/graphs/o/openssh.png){kind=link}