Debian Package Tracker
Register | Log in
Subscribe

openssh

Choose email to subscribe with

general
  • source: openssh (main)
  • version: 1:10.4p1-1
  • maintainer: Debian OpenSSH Maintainers (archive) (DMD)
  • uploaders: Colin Watson [DMD] – Matthew Vernon [DMD]
  • arch: any
  • std-ver: 4.7.4
  • VCS: Git (Browse, QA)
versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]
[pool directory]
  • o-o-stable: 1:8.4p1-5+deb11u3
  • o-o-sec: 1:8.4p1-5+deb11u7
  • oldstable: 1:9.2p1-2+deb12u10
  • old-sec: 1:9.2p1-2+deb12u9
  • old-bpo: 1:10.0p1-7~bpo12+1
  • old-upd: 1:9.2p1-2+deb12u7
  • stable: 1:10.0p1-7+deb13u4
  • stable-sec: 1:10.0p1-7+deb13u2
  • stable-bpo: 1:10.3p1-1~bpo13+1
  • testing: 1:10.3p1-5
  • unstable: 1:10.4p1-1
versioned links
  • 1:8.4p1-5+deb11u3: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
  • 1:8.4p1-5+deb11u7: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
  • 1:9.2p1-2+deb12u7: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
  • 1:9.2p1-2+deb12u9: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
  • 1:9.2p1-2+deb12u10: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
  • 1:10.0p1-7~bpo12+1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
  • 1:10.0p1-7+deb13u2: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
  • 1:10.0p1-7+deb13u4: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
  • 1:10.3p1-1~bpo13+1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
  • 1:10.3p1-5: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
  • 1:10.4p1-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
binaries
  • openssh-client (281 bugs: 0, 161, 120, 0)
  • openssh-client-gssapi
  • openssh-client-udeb
  • openssh-common
  • openssh-server (251 bugs: 0, 195, 56, 0)
  • openssh-server-gssapi
  • openssh-server-udeb
  • openssh-sftp-server (1 bugs: 0, 1, 0, 0)
  • openssh-tests
  • ssh (122 bugs: 0, 67, 55, 0)
  • ssh-askpass-gnome (3 bugs: 0, 3, 0, 0)
action needed
Debci reports failed tests high
  • unstable: fail (log)
    The tests ran in 0:17:31
    Last run: 2026-07-09T07:31:21.000Z
    Previous status: unknown

  • testing: pass (log)
    The tests ran in 0:16:45
    Last run: 2026-02-02T14:23:38.000Z
    Previous status: unknown

  • stable: pass (log)
    The tests ran in 0:17:49
    Last run: 2025-11-08T21:38:36.000Z
    Previous status: unknown

Created: 2026-07-08 Last update: 2026-07-13 08:30
10 security issues in trixie high

There are 10 open security issues in trixie.

2 important issues:
  • CVE-2026-55654: A flaw was found in OpenSSH. This vulnerability, a heap out-of-bounds read, occurs during the cleanup of GSSAPI (Generic Security Service Application Programming Interface) indicators when a trailing NULL termination is missing in the auth-indicators array. A remote attacker, under specific configurations involving GSSAPI authentication and a Kerberos environment, could exploit this to cause the SSH authentication path to crash or abort. This leads to a denial of service (DoS), impacting the availability of the SSH service.
  • CVE-2026-55655: A flaw was found in OpenSSH. A local unprivileged attacker on a Linux client host can hijack client-side X11 forwarding connections. This is possible by pre-binding the preferred abstract X socket name when X11 forwarding is enabled and a local UNIX-domain X socket is used. A successful attack can compromise the confidentiality of forwarded X11 traffic, including sensitive window contents and input, and may allow some manipulation of the forwarded session.
8 issues left for the package maintainer to handle:
  • CVE-2026-59995: (needs triaging) sftp in OpenSSH before 10.4 does not properly constrain the location of downloaded files when "sftp server:/path ." is used with an attacker-controlled server.
  • CVE-2026-59996: (needs triaging) scp in OpenSSH before 10.4 may place a file in the parent directory of an intended directory when the copy occurs between two remote destinations.
  • CVE-2026-59997: (needs triaging) internal-sftp in sshd in OpenSSH before 10.4 recognizes only the first 9 command-line arguments, which can be important if a later command-line argument would have helped to ensure the intended security properties of an SFTP connection.
  • CVE-2026-59998: (needs triaging) sshd in OpenSSH before 10.4 has an undocumented security-relevant behavior: GSSAPIStrictAcceptorCheck has no value if the server is in Windows Active Directory.
  • CVE-2026-59999: (needs triaging) In sshd in OpenSSH before 10.4, DisableForwarding=yes was supposed to take precedence over PermitTunnel=yes, but did not.
  • CVE-2026-60000: (needs triaging) sshd in OpenSSH before 10.4 allows remote attackers to cause a denial of service (resource consumption from excessive authentication attempts) because MaxAuthTries was mishandled for GSSAPIAuthentication.
  • CVE-2026-60001: (needs triaging) sshd in OpenSSH before 10.4 does not always honor the minimum authentication delay.
  • CVE-2026-60002: (needs triaging) ssh in OpenSSH before 10.4 can have a use-after-free when a server changes its host key during a key re-exchange. (This outcome occurs only on the client side.)

You can find information about how to handle these issues in the security team's documentation.

Created: 2026-06-23 Last update: 2026-07-13 01:01
2 security issues in sid high

There are 2 open security issues in sid.

2 important issues:
  • CVE-2026-55654: A flaw was found in OpenSSH. This vulnerability, a heap out-of-bounds read, occurs during the cleanup of GSSAPI (Generic Security Service Application Programming Interface) indicators when a trailing NULL termination is missing in the auth-indicators array. A remote attacker, under specific configurations involving GSSAPI authentication and a Kerberos environment, could exploit this to cause the SSH authentication path to crash or abort. This leads to a denial of service (DoS), impacting the availability of the SSH service.
  • CVE-2026-55655: A flaw was found in OpenSSH. A local unprivileged attacker on a Linux client host can hijack client-side X11 forwarding connections. This is possible by pre-binding the preferred abstract X socket name when X11 forwarding is enabled and a local UNIX-domain X socket is used. A successful attack can compromise the confidentiality of forwarded X11 traffic, including sensitive window contents and input, and may allow some manipulation of the forwarded session.
Created: 2026-06-23 Last update: 2026-07-13 01:01
10 security issues in forky high

There are 10 open security issues in forky.

10 important issues:
  • CVE-2026-55654: A flaw was found in OpenSSH. This vulnerability, a heap out-of-bounds read, occurs during the cleanup of GSSAPI (Generic Security Service Application Programming Interface) indicators when a trailing NULL termination is missing in the auth-indicators array. A remote attacker, under specific configurations involving GSSAPI authentication and a Kerberos environment, could exploit this to cause the SSH authentication path to crash or abort. This leads to a denial of service (DoS), impacting the availability of the SSH service.
  • CVE-2026-55655: A flaw was found in OpenSSH. A local unprivileged attacker on a Linux client host can hijack client-side X11 forwarding connections. This is possible by pre-binding the preferred abstract X socket name when X11 forwarding is enabled and a local UNIX-domain X socket is used. A successful attack can compromise the confidentiality of forwarded X11 traffic, including sensitive window contents and input, and may allow some manipulation of the forwarded session.
  • CVE-2026-59995: sftp in OpenSSH before 10.4 does not properly constrain the location of downloaded files when "sftp server:/path ." is used with an attacker-controlled server.
  • CVE-2026-59996: scp in OpenSSH before 10.4 may place a file in the parent directory of an intended directory when the copy occurs between two remote destinations.
  • CVE-2026-59997: internal-sftp in sshd in OpenSSH before 10.4 recognizes only the first 9 command-line arguments, which can be important if a later command-line argument would have helped to ensure the intended security properties of an SFTP connection.
  • CVE-2026-59998: sshd in OpenSSH before 10.4 has an undocumented security-relevant behavior: GSSAPIStrictAcceptorCheck has no value if the server is in Windows Active Directory.
  • CVE-2026-59999: In sshd in OpenSSH before 10.4, DisableForwarding=yes was supposed to take precedence over PermitTunnel=yes, but did not.
  • CVE-2026-60000: sshd in OpenSSH before 10.4 allows remote attackers to cause a denial of service (resource consumption from excessive authentication attempts) because MaxAuthTries was mishandled for GSSAPIAuthentication.
  • CVE-2026-60001: sshd in OpenSSH before 10.4 does not always honor the minimum authentication delay.
  • CVE-2026-60002: ssh in OpenSSH before 10.4 can have a use-after-free when a server changes its host key during a key re-exchange. (This outcome occurs only on the client side.)
Created: 2026-06-23 Last update: 2026-07-13 01:01
10 security issues in bullseye high

There are 10 open security issues in bullseye.

2 important issues:
  • CVE-2026-55654: A flaw was found in OpenSSH. This vulnerability, a heap out-of-bounds read, occurs during the cleanup of GSSAPI (Generic Security Service Application Programming Interface) indicators when a trailing NULL termination is missing in the auth-indicators array. A remote attacker, under specific configurations involving GSSAPI authentication and a Kerberos environment, could exploit this to cause the SSH authentication path to crash or abort. This leads to a denial of service (DoS), impacting the availability of the SSH service.
  • CVE-2026-55655: A flaw was found in OpenSSH. A local unprivileged attacker on a Linux client host can hijack client-side X11 forwarding connections. This is possible by pre-binding the preferred abstract X socket name when X11 forwarding is enabled and a local UNIX-domain X socket is used. A successful attack can compromise the confidentiality of forwarded X11 traffic, including sensitive window contents and input, and may allow some manipulation of the forwarded session.
8 issues postponed or untriaged:
  • CVE-2026-59995: (postponed; to be fixed through a stable update) sftp in OpenSSH before 10.4 does not properly constrain the location of downloaded files when "sftp server:/path ." is used with an attacker-controlled server.
  • CVE-2026-59996: (postponed; to be fixed through a stable update) scp in OpenSSH before 10.4 may place a file in the parent directory of an intended directory when the copy occurs between two remote destinations.
  • CVE-2026-59997: (postponed; to be fixed through a stable update) internal-sftp in sshd in OpenSSH before 10.4 recognizes only the first 9 command-line arguments, which can be important if a later command-line argument would have helped to ensure the intended security properties of an SFTP connection.
  • CVE-2026-59998: (postponed; to be fixed through a stable update) sshd in OpenSSH before 10.4 has an undocumented security-relevant behavior: GSSAPIStrictAcceptorCheck has no value if the server is in Windows Active Directory.
  • CVE-2026-59999: (postponed; to be fixed through a stable update) In sshd in OpenSSH before 10.4, DisableForwarding=yes was supposed to take precedence over PermitTunnel=yes, but did not.
  • CVE-2026-60000: (postponed; to be fixed through a stable update) sshd in OpenSSH before 10.4 allows remote attackers to cause a denial of service (resource consumption from excessive authentication attempts) because MaxAuthTries was mishandled for GSSAPIAuthentication.
  • CVE-2026-60001: (postponed; to be fixed through a stable update) sshd in OpenSSH before 10.4 does not always honor the minimum authentication delay.
  • CVE-2026-60002: (postponed; to be fixed through a stable update) ssh in OpenSSH before 10.4 can have a use-after-free when a server changes its host key during a key re-exchange. (This outcome occurs only on the client side.)
Created: 2026-06-23 Last update: 2026-07-13 01:01
10 security issues in bookworm high

There are 10 open security issues in bookworm.

2 important issues:
  • CVE-2026-55654: A flaw was found in OpenSSH. This vulnerability, a heap out-of-bounds read, occurs during the cleanup of GSSAPI (Generic Security Service Application Programming Interface) indicators when a trailing NULL termination is missing in the auth-indicators array. A remote attacker, under specific configurations involving GSSAPI authentication and a Kerberos environment, could exploit this to cause the SSH authentication path to crash or abort. This leads to a denial of service (DoS), impacting the availability of the SSH service.
  • CVE-2026-55655: A flaw was found in OpenSSH. A local unprivileged attacker on a Linux client host can hijack client-side X11 forwarding connections. This is possible by pre-binding the preferred abstract X socket name when X11 forwarding is enabled and a local UNIX-domain X socket is used. A successful attack can compromise the confidentiality of forwarded X11 traffic, including sensitive window contents and input, and may allow some manipulation of the forwarded session.
8 issues left for the package maintainer to handle:
  • CVE-2026-59995: (postponed; to be fixed through a stable update) sftp in OpenSSH before 10.4 does not properly constrain the location of downloaded files when "sftp server:/path ." is used with an attacker-controlled server.
  • CVE-2026-59996: (postponed; to be fixed through a stable update) scp in OpenSSH before 10.4 may place a file in the parent directory of an intended directory when the copy occurs between two remote destinations.
  • CVE-2026-59997: (postponed; to be fixed through a stable update) internal-sftp in sshd in OpenSSH before 10.4 recognizes only the first 9 command-line arguments, which can be important if a later command-line argument would have helped to ensure the intended security properties of an SFTP connection.
  • CVE-2026-59998: (postponed; to be fixed through a stable update) sshd in OpenSSH before 10.4 has an undocumented security-relevant behavior: GSSAPIStrictAcceptorCheck has no value if the server is in Windows Active Directory.
  • CVE-2026-59999: (postponed; to be fixed through a stable update) In sshd in OpenSSH before 10.4, DisableForwarding=yes was supposed to take precedence over PermitTunnel=yes, but did not.
  • CVE-2026-60000: (postponed; to be fixed through a stable update) sshd in OpenSSH before 10.4 allows remote attackers to cause a denial of service (resource consumption from excessive authentication attempts) because MaxAuthTries was mishandled for GSSAPIAuthentication.
  • CVE-2026-60001: (postponed; to be fixed through a stable update) sshd in OpenSSH before 10.4 does not always honor the minimum authentication delay.
  • CVE-2026-60002: (postponed; to be fixed through a stable update) ssh in OpenSSH before 10.4 can have a use-after-free when a server changes its host key during a key re-exchange. (This outcome occurs only on the client side.)

You can find information about how to handle these issues in the security team's documentation.

Created: 2026-06-23 Last update: 2026-07-13 01:01
debian/patches: 1 patch with invalid metadata, 7 patches to forward upstream high

Among the 24 debian patches available in version 1:10.4p1-1 of the package, we noticed the following issues:

  • 1 patch with invalid metadata that ought to be fixed.
  • 7 patches where the metadata indicates that the patch has not yet been forwarded upstream. You should either forward the patch upstream or update the metadata to document its real status.
Created: 2023-02-26 Last update: 2026-07-07 07:00
42 bugs tagged patch in the BTS normal
The BTS contains patches fixing 42 bugs (52 if counting merged bugs), consider including or untagging them.
Created: 2026-06-02 Last update: 2026-07-13 09:30
Depends on packages which need a new maintainer normal
The packages that openssh depends on which need a new maintainer are:
  • ssh-askpass (#993155)
    • Suggests: ssh-askpass ssh-askpass
Created: 2019-11-22 Last update: 2026-07-13 09:01
The package has not entered testing even though the delay is over normal
The package has not entered testing even though the 5-day delay is over. Check why.
Created: 2026-07-12 Last update: 2026-07-13 09:01
1 new commit since last upload, is it time to release? normal
vcswatch reports that this package seems to have new commits in its VCS but has not yet updated debian/changelog. You should consider updating the Debian changelog and uploading this new version into the archive.

Here are the relevant commit logs:
commit fc40e849b404ed15b9aee82f034f5cffa863e529
Author: Colin Watson <cjwatson@debian.org>
Date:   Wed Jul 8 14:32:16 2026 +0100

    Retroactively mention several CVEs in changelog
Created: 2026-07-08 Last update: 2026-07-08 15:30
7 open merge requests in Salsa normal
There are 7 open merge requests for this package on Salsa. You should consider reviewing and/or merging these merge requests.
Created: 2025-09-21 Last update: 2026-06-26 17:00
testing migrations
  • This package will soon be part of the auto-openssl transition. You might want to ensure that your package is ready for it. You can probably find supplementary information in the debian-release archives or in the corresponding release.debian.org bug.
  • excuses:
    • Migration status for openssh (1:10.3p1-5 to 1:10.4p1-1): BLOCKED: Rejected/violates migration policy/introduces a regression
    • Issues preventing migration:
    • ∙ ∙ Autopkgtest for ansible-core/2.21.1~rc1-2: amd64: Pass, arm64: Pass, armhf: Pass, i386: Pass, loong64: Pass, ppc64el: Pass, riscv64: Test triggered (failure will be ignored), s390x: Pass
    • ∙ ∙ Autopkgtest for curl/8.21.0-2: amd64: Pass, arm64: Pass, armhf: Regression ♻ (reference ♻), i386: Pass, loong64: Pass, ppc64el: Regression ♻ (reference ♻), riscv64: Pass, s390x: Pass
    • ∙ ∙ Autopkgtest for nbd/1:3.27.1-2: amd64: Regression ♻ (reference ♻), arm64: Regression ♻ (reference ♻), armhf: Failed (not a regression) ♻ (reference ♻), ppc64el: Regression ♻ (reference ♻), riscv64: Regression ♻ (reference ♻), s390x: Regression ♻ (reference ♻)
    • ∙ ∙ Autopkgtest for openssh/1:10.4p1-1: amd64: Pass, arm64: Pass, armhf: Pass, i386: Pass, loong64: Pass, ppc64el: Pass, riscv64: Pass, s390x: Pass
    • Additional info (not blocking):
    • ∙ ∙ Piuparts tested OK - https://piuparts.debian.org/sid/source/o/openssh.html
    • ∙ ∙ Reproduced on amd64 - info
    • ∙ ∙ Reproduced on arm64 - info
    • ∙ ∙ Reproduced on armhf - info
    • ∙ ∙ Reproduced on i386 - info
    • ∙ ∙ 6 days old (needed 5 days)
    • Not considered
news
[rss feed]
  • [2026-07-06] Accepted openssh 1:10.4p1-1 (source) into unstable (Colin Watson)
  • [2026-07-06] Accepted openssh 1:10.3p1-9 (source) into unstable (Colin Watson)
  • [2026-07-03] Accepted openssh 1:10.3p1-8 (source) into unstable (Colin Watson)
  • [2026-07-03] Accepted openssh 1:10.3p1-7 (amd64 source) into unstable (Debian FTP Masters) (signed by: Colin Watson)
  • [2026-07-02] openssh 1:10.3p1-5 MIGRATED to testing (Debian testing watch)
  • [2026-06-26] Accepted openssh 1:10.3p1-5 (source) into unstable (Colin Watson)
  • [2026-06-06] openssh 1:10.3p1-4 MIGRATED to testing (Debian testing watch)
  • [2026-06-01] Accepted openssh 1:10.3p1-4 (source) into unstable (Colin Watson)
  • [2026-05-30] openssh 1:10.3p1-2 MIGRATED to testing (Debian testing watch)
  • [2026-05-29] Accepted openssh 1:10.3p1-3 (source) into unstable (Colin Watson)
  • [2026-05-15] Accepted openssh 1:8.4p1-5+deb11u7 (source) into oldoldstable-security (Colin Watson) (signed by: Santiago Ruano Rincón)
  • [2026-05-14] Accepted openssh 1:10.3p1-1~bpo13+1 (source) into stable-backports (Colin Watson)
  • [2026-05-06] Accepted openssh 1:10.0p1-7+deb13u4 (source) into proposed-updates (Debian FTP Masters)
  • [2026-05-05] Accepted openssh 1:9.2p1-2+deb12u10 (source) into oldstable-proposed-updates (Debian FTP Masters) (signed by: Colin Watson)
  • [2026-05-05] Accepted openssh 1:10.0p1-7+deb13u3 (source) into proposed-updates (Debian FTP Masters) (signed by: Colin Watson)
  • [2026-05-03] Accepted openssh 1:10.3p1-2 (source) into unstable (Colin Watson)
  • [2026-04-21] openssh 1:10.3p1-1 MIGRATED to testing (Debian testing watch)
  • [2026-04-18] Accepted openssh 1:9.2p1-2+deb12u9 (source) into oldstable-proposed-updates (Debian FTP Masters) (signed by: Colin Watson)
  • [2026-04-18] Accepted openssh 1:10.0p1-7+deb13u2 (source) into proposed-updates (Debian FTP Masters) (signed by: Colin Watson)
  • [2026-04-16] Accepted openssh 1:8.4p1-5+deb11u6 (source) into oldoldstable-security (Colin Watson)
  • [2026-04-12] Accepted openssh 1:10.3p1-1 (source) into unstable (Colin Watson)
  • [2026-04-09] Accepted openssh 1:10.2p1-6~bpo13+1 (source) into stable-backports (Colin Watson)
  • [2026-04-09] Accepted openssh 1:10.0p1-7+deb13u2 (source) into stable-security (Debian FTP Masters) (signed by: Colin Watson)
  • [2026-04-09] Accepted openssh 1:9.2p1-2+deb12u9 (source) into oldstable-security (Debian FTP Masters) (signed by: Colin Watson)
  • [2026-04-03] openssh 1:10.2p1-6 MIGRATED to testing (Debian testing watch)
  • [2026-03-27] Accepted openssh 1:10.2p1-6 (source) into unstable (Colin Watson)
  • [2026-02-28] Accepted openssh 1:9.2p1-2+deb12u8 (source) into oldstable-proposed-updates (Debian FTP Masters)
  • [2026-02-27] Accepted openssh 1:10.0p1-7+deb13u1 (source) into proposed-updates (Debian FTP Masters)
  • [2026-02-22] openssh 1:10.2p1-5 MIGRATED to testing (Debian testing watch)
  • [2026-02-19] Accepted openssh 1:10.2p1-5 (source) into unstable (Colin Watson)
  • 1
  • 2
bugs [bug history graph]
  • all: 645 690
  • RC: 0
  • I&N: 423 442
  • M&W: 221 247
  • F&P: 1
  • patch: 42 52
links
  • homepage
  • lintian
  • buildd: logs, reproducibility, cross
  • popcon
  • browse source code
  • other distros
  • security tracker
  • l10n (100, -)
  • debian patches
  • debci
ubuntu Ubuntu logo [Information about Ubuntu for Debian Developers]
  • version: 1:10.2p1-2ubuntu3
  • patches for 1:10.2p1-2ubuntu3

Debian Package Tracker — Copyright 2013-2025 The Distro Tracker Developers
Report problems to the tracker.debian.org pseudo-package in the Debian BTS.
Documentation — Bugs — Git Repository — Contributing