-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Tue, 05 May 2026 11:25:39 +0100
Source: openssh
Binary: openssh-client openssh-client-dbgsym openssh-client-udeb openssh-server openssh-server-dbgsym openssh-server-udeb openssh-sftp-server openssh-sftp-server-dbgsym openssh-tests openssh-tests-dbgsym ssh-askpass-gnome ssh-askpass-gnome-dbgsym
Architecture: ppc64el
Version: 1:10.0p1-7+deb13u3
Distribution: trixie
Urgency: medium
Maintainer: ppc64el Build Daemon (ppc64el-conova-01) <buildd_ppc64el-ppc64el-conova-01@buildd.debian.org>
Changed-By: Colin Watson <cjwatson@debian.org>
Description:
 openssh-client - secure shell (SSH) client, for secure access to remote machines
 openssh-client-udeb - secure shell client for the Debian installer (udeb)
 openssh-server - secure shell (SSH) server, for secure access from remote machines
 openssh-server-udeb - secure shell server for the Debian installer (udeb)
 openssh-sftp-server - secure shell (SSH) sftp server module, for SFTP access from remot
 openssh-tests - OpenSSH regression tests
 ssh-askpass-gnome - interactive X program to prompt users for a passphrase for ssh-ad
Closes: 1132572 1132573 1132574 1132575 1132576
Changes:
 openssh (1:10.0p1-7+deb13u3) trixie; urgency=medium
 .
   * Backport minor security fixes from 10.3p1:
     - ssh(1): the -J and equivalent -oProxyJump="..." options now validate
       user and host names for ProxyJump/-J options passed via the
       command-line (no such validation is performed for this option in
       configuration files). This prevents shell injection in situations
       where these were directly exposed to adversarial input, which would
       have been a terrible idea to begin with.
     - CVE-2026-35386: ssh(1): validation of shell metacharacters in user
       names supplied on the command-line was performed too late to prevent
       some situations where they could be expanded from %-tokens in
       ssh_config. For certain configurations, such as those that use a "%u"
       token in a "Match exec" block, an attacker who can control the user
       name passed to ssh(1) could potentially execute arbitrary shell
       commands. Reported by Florian Kohnhäuser (closes: #1132573).
       We continue to recommend against directly exposing ssh(1) and other
       tools' command-lines to untrusted input. Mitigations such as this can
       not be absolute given the variety of shells and user configurations in
       use.
     - CVE-2026-35414: sshd(8): when matching an authorized_keys
       principals="" option against a list of principals in a certificate, an
       incorrect algorithm was used that could allow inappropriate matching
       in cases where a principal name in the certificate contains a comma
       character. Exploitation of the condition requires an authorized_keys
       principals="" option that lists more than one principal *and* a CA
       that will issue a certificate that encodes more than one of these
       principal names separated by a comma (typical CAs strongly constrain
       which principal names they will place in a certificate). This
       condition only applies to user- trusted CA keys in authorized_keys,
       the main certificate authentication path
       (TrustedUserCAKeys/AuthorizedPrincipalsFile) is not affected. Reported
       by Vladimir Tokarev (closes: #1132576).
     - CVE-2026-35385: scp(1): when downloading files as root in legacy (-O)
       mode and without the -p (preserve modes) flag set, scp did not clear
       setuid/setgid bits from downloaded files as one might typically
       expect. This bug dates back to the original Berkeley rcp program.
       Reported by Christos Papakonstantinou of Cantina and Spearbit (closes:
       #1132572).
     - CVE-2026-35387: sshd(8): fix incomplete application of
       PubkeyAcceptedAlgorithms and HostbasedAcceptedAlgorithms with regard
       to ECDSA keys. Previously if one of these directives contains any
       ECDSA algorithm name (say "ecdsa-sha2-nistp384"), then any other ECDSA
       algorithm would be accepted in its place regardless of whether it was
       listed or not.  Reported by Christos Papakonstantinou of Cantina and
       Spearbit (closes: #1132574).
     - CVE-2026-35388: ssh(1): connection multiplexing confirmation
       (requested using "ControlMaster ask/autoask") was not being tested for
       proxy mode multiplexing sessions (i.e. "ssh -O proxy ..."). Reported
       by Michalis Vasileiadis (closes: #1132575).
   * Cherry-pick IPQoS handling updates from upstream:
     - Set default IPQoS for interactive sessions to Expedited Forwarding
       (EF).
     - Deprecate support for IPv4 type-of-service (TOS) IPQoS keywords.
     - Make ssh(1) and sshd(8) set IP QoS (aka IP_TOS, IPV6_TCLASS)
       continually at runtime based on what sessions/channels are open.
     - Correctly set extended type for client-side channels.  Fixes
       interactive vs bulk IPQoS for client->server traffic.
Checksums-Sha1:
 04c2a79682d302afd10b1c5693703c9ecd8bd279 3937196 openssh-client-dbgsym_10.0p1-7+deb13u3_ppc64el.deb
 716abf7c05ab054a37a6ad7448e2bdf50ac052e8 356844 openssh-client-udeb_10.0p1-7+deb13u3_ppc64el.udeb
 c89a534cc246595b047cab7da411caed6add9be0 993084 openssh-client_10.0p1-7+deb13u3_ppc64el.deb
 518bf27a56abb3e8ae109bda7095641e4f07d02f 2443912 openssh-server-dbgsym_10.0p1-7+deb13u3_ppc64el.deb
 76ddc6ffde569ac65f1f4d5d010d1c259916b27a 481824 openssh-server-udeb_10.0p1-7+deb13u3_ppc64el.udeb
 81f1ac4cc583ba6dc5889d9c1e88222765d82bd0 608292 openssh-server_10.0p1-7+deb13u3_ppc64el.deb
 55056617d13e4a8f5ecbb99edfe24efe771d77b7 173788 openssh-sftp-server-dbgsym_10.0p1-7+deb13u3_ppc64el.deb
 3835683d3440c6b0e30d3b0fe2e1e937cab9467f 68212 openssh-sftp-server_10.0p1-7+deb13u3_ppc64el.deb
 e95521fb904a19f41574f3a543faf6b8395808c2 3051368 openssh-tests-dbgsym_10.0p1-7+deb13u3_ppc64el.deb
 74b18d3d8ddc774147ef3fbeb7f6a5bf73568d20 1035292 openssh-tests_10.0p1-7+deb13u3_ppc64el.deb
 20591f1c344aabab5e78175115c3f7781f090edc 18749 openssh_10.0p1-7+deb13u3_ppc64el-buildd.buildinfo
 5f8b146b89be6066a6298a0b42b743bc1ff6f51d 17516 ssh-askpass-gnome-dbgsym_10.0p1-7+deb13u3_ppc64el.deb
 64402f8dae9f2f06e82073ebddfec9234f5e0417 158072 ssh-askpass-gnome_10.0p1-7+deb13u3_ppc64el.deb
Checksums-Sha256:
 1054deab11f6a99a28c5d09f8d56a4ddf2888337ed68fad489387b94384751b8 3937196 openssh-client-dbgsym_10.0p1-7+deb13u3_ppc64el.deb
 155d5af545eaaa085e6042cf58c292a51ccbb9e3c0b0a75eeddf27d896371740 356844 openssh-client-udeb_10.0p1-7+deb13u3_ppc64el.udeb
 7100985f9c065ac18d6c896f16a1b3f6d5ffe7e4c90ad2a86aa4576df77754a1 993084 openssh-client_10.0p1-7+deb13u3_ppc64el.deb
 9386db919166af047802357e8ea1ae4e6963e3b327506fac1e9dd43b48bf5aae 2443912 openssh-server-dbgsym_10.0p1-7+deb13u3_ppc64el.deb
 fce2a3b0d367cc5bb79f61da5068972ebc0490d0ec6e47b92d3de5c6c47ae88b 481824 openssh-server-udeb_10.0p1-7+deb13u3_ppc64el.udeb
 61ab07010177cfaeb0c152d5fb430f9d0f1695483738c833803593ac1738aea7 608292 openssh-server_10.0p1-7+deb13u3_ppc64el.deb
 61c907b64f1c63e8c903b741a8b0039806e5b6137a248f30467e4915d52ee915 173788 openssh-sftp-server-dbgsym_10.0p1-7+deb13u3_ppc64el.deb
 fe27275d4231fbde60e6e641e546e2688bb136a4cc362e80c6b589bf682452fe 68212 openssh-sftp-server_10.0p1-7+deb13u3_ppc64el.deb
 f5f142302bae4fdd76de70bcae4e482c4f4b2d6c2e3384055fcfa63c93584944 3051368 openssh-tests-dbgsym_10.0p1-7+deb13u3_ppc64el.deb
 a9aefd266cb3eb9d1f9a1b905ace6041f68f4b6cbefd3e11e671e1c6400e664a 1035292 openssh-tests_10.0p1-7+deb13u3_ppc64el.deb
 7bfcb553c6ec4ccb584bcd97841a85fe62abf8bb57c7017f12b992e52935417b 18749 openssh_10.0p1-7+deb13u3_ppc64el-buildd.buildinfo
 857c86555c8907544fe3c46c089af02d08701fe1b10f921b1f107bc9303268ff 17516 ssh-askpass-gnome-dbgsym_10.0p1-7+deb13u3_ppc64el.deb
 5e0e7f38ccd69391e9899499166348c3086b2d5944b0705af00522d8ee42e1b9 158072 ssh-askpass-gnome_10.0p1-7+deb13u3_ppc64el.deb
Files:
 03f04a94ba9dedebc8a7552683214abe 3937196 debug optional openssh-client-dbgsym_10.0p1-7+deb13u3_ppc64el.deb
 04723e07bd4a453720bc677f6bfa914c 356844 debian-installer optional openssh-client-udeb_10.0p1-7+deb13u3_ppc64el.udeb
 17e8b243745d78b0bf1b5a3e019c5336 993084 net standard openssh-client_10.0p1-7+deb13u3_ppc64el.deb
 3783c2723538a6903803424555830201 2443912 debug optional openssh-server-dbgsym_10.0p1-7+deb13u3_ppc64el.deb
 0b0139f5e35ddc2a0767fe5769c50c42 481824 debian-installer optional openssh-server-udeb_10.0p1-7+deb13u3_ppc64el.udeb
 d5cf3dfabdc3fae1c1c87c52e24089c7 608292 net optional openssh-server_10.0p1-7+deb13u3_ppc64el.deb
 3545a56263e94e7fe277c488c9a97bb2 173788 debug optional openssh-sftp-server-dbgsym_10.0p1-7+deb13u3_ppc64el.deb
 2cbdf0b8c5680d7392f7d5486287a3f5 68212 net optional openssh-sftp-server_10.0p1-7+deb13u3_ppc64el.deb
 001af68b032acbe1126cff0deeab45ef 3051368 debug optional openssh-tests-dbgsym_10.0p1-7+deb13u3_ppc64el.deb
 5c72465d656caabf75d32bd583058f0f 1035292 net optional openssh-tests_10.0p1-7+deb13u3_ppc64el.deb
 e43c901444e0b5621a1237c78eec4223 18749 net standard openssh_10.0p1-7+deb13u3_ppc64el-buildd.buildinfo
 c64be9e11ba0ac92caa3e4064e13db9a 17516 debug optional ssh-askpass-gnome-dbgsym_10.0p1-7+deb13u3_ppc64el.deb
 b78e3fd976db11a0f74b2294b06715ab 158072 gnome optional ssh-askpass-gnome_10.0p1-7+deb13u3_ppc64el.deb

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEDoRc43uRWMOoIqIgDNLUPhbmg7MFAmn6O4AACgkQDNLUPhbm
g7O96BAAijqDBF41uvvt/PSvuk1fPbssguabZMUhxRkVN9Zs/jj5aW8gd4AzwGz+
lWLaBwY1aqmN0C6StqU65ujijBDRhBmHkAf/Fr1Tj8zqfU9aWL6UgxI4xO5Rj9kT
IrXVgtyyYb3Myo/8Nryx7xIMwKLHfv54NXYD2/nYw00C8zvXGRiBVMOTZ2Q7/SOs
Jr1OMVu195oq/CzwcsFLVQ/Vi3X30ZgZS1PBoinTIovHT7extL0+puF529bzcEaQ
p1lg8d5brOd+EzTe7ogpuj1x96Tf/p8BtBicjOkcU+rfgB+6pTXeB82jsF9VYNZc
zgHSCrSc1kzgy0339DDNgcDjGgvieGbZuLpmqiLR5CC7cugaoPRyCPQ7neS2Mp4y
m/FT+YDq2hM6XO0XD+0iAX9PiAxXmSCtbF3cloKNOSWIxhl1UqXw/L7peh9K1h7L
fqJBYK27shbK3+TaRf9VDy73uDXEiDzdgUHMLIUrqHXof+gMSXzlcEttnoRwDUB3
LwRgcLPIRpzz5qNi5P0fBTY9SgVXXPQ+wa0dvMP7veVmjv64Zolo+Yc3vB9L3J+A
cdyu6WoMy3pwTPVGRij8aCQBtzUuQhJp7avL5v+bq8/H2RpmMlNPnWgg2drxO6V4
K465bkecEh0Qj3f7/ZXHY/WlkUBnVTloMVppSqFEYojWz/9Vfmk=
=QefZ
-----END PGP SIGNATURE-----