-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Tue, 05 May 2026 11:25:39 +0100
Source: openssh
Binary: openssh-client openssh-client-dbgsym openssh-client-udeb openssh-server openssh-server-dbgsym openssh-server-udeb openssh-sftp-server openssh-sftp-server-dbgsym openssh-tests openssh-tests-dbgsym ssh-askpass-gnome ssh-askpass-gnome-dbgsym
Architecture: s390x
Version: 1:10.0p1-7+deb13u3
Distribution: trixie
Urgency: medium
Maintainer: s390x Build Daemon (zani) <buildd_s390x-zani@buildd.debian.org>
Changed-By: Colin Watson <cjwatson@debian.org>
Description:
 openssh-client - secure shell (SSH) client, for secure access to remote machines
 openssh-client-udeb - secure shell client for the Debian installer (udeb)
 openssh-server - secure shell (SSH) server, for secure access from remote machines
 openssh-server-udeb - secure shell server for the Debian installer (udeb)
 openssh-sftp-server - secure shell (SSH) sftp server module, for SFTP access from remot
 openssh-tests - OpenSSH regression tests
 ssh-askpass-gnome - interactive X program to prompt users for a passphrase for ssh-ad
Closes: 1132572 1132573 1132574 1132575 1132576
Changes:
 openssh (1:10.0p1-7+deb13u3) trixie; urgency=medium
 .
   * Backport minor security fixes from 10.3p1:
     - ssh(1): the -J and equivalent -oProxyJump="..." options now validate
       user and host names for ProxyJump/-J options passed via the
       command-line (no such validation is performed for this option in
       configuration files). This prevents shell injection in situations
       where these were directly exposed to adversarial input, which would
       have been a terrible idea to begin with.
     - CVE-2026-35386: ssh(1): validation of shell metacharacters in user
       names supplied on the command-line was performed too late to prevent
       some situations where they could be expanded from %-tokens in
       ssh_config. For certain configurations, such as those that use a "%u"
       token in a "Match exec" block, an attacker who can control the user
       name passed to ssh(1) could potentially execute arbitrary shell
       commands. Reported by Florian Kohnhäuser (closes: #1132573).
       We continue to recommend against directly exposing ssh(1) and other
       tools' command-lines to untrusted input. Mitigations such as this can
       not be absolute given the variety of shells and user configurations in
       use.
     - CVE-2026-35414: sshd(8): when matching an authorized_keys
       principals="" option against a list of principals in a certificate, an
       incorrect algorithm was used that could allow inappropriate matching
       in cases where a principal name in the certificate contains a comma
       character. Exploitation of the condition requires an authorized_keys
       principals="" option that lists more than one principal *and* a CA
       that will issue a certificate that encodes more than one of these
       principal names separated by a comma (typical CAs strongly constrain
       which principal names they will place in a certificate). This
       condition only applies to user- trusted CA keys in authorized_keys,
       the main certificate authentication path
       (TrustedUserCAKeys/AuthorizedPrincipalsFile) is not affected. Reported
       by Vladimir Tokarev (closes: #1132576).
     - CVE-2026-35385: scp(1): when downloading files as root in legacy (-O)
       mode and without the -p (preserve modes) flag set, scp did not clear
       setuid/setgid bits from downloaded files as one might typically
       expect. This bug dates back to the original Berkeley rcp program.
       Reported by Christos Papakonstantinou of Cantina and Spearbit (closes:
       #1132572).
     - CVE-2026-35387: sshd(8): fix incomplete application of
       PubkeyAcceptedAlgorithms and HostbasedAcceptedAlgorithms with regard
       to ECDSA keys. Previously if one of these directives contains any
       ECDSA algorithm name (say "ecdsa-sha2-nistp384"), then any other ECDSA
       algorithm would be accepted in its place regardless of whether it was
       listed or not.  Reported by Christos Papakonstantinou of Cantina and
       Spearbit (closes: #1132574).
     - CVE-2026-35388: ssh(1): connection multiplexing confirmation
       (requested using "ControlMaster ask/autoask") was not being tested for
       proxy mode multiplexing sessions (i.e. "ssh -O proxy ..."). Reported
       by Michalis Vasileiadis (closes: #1132575).
   * Cherry-pick IPQoS handling updates from upstream:
     - Set default IPQoS for interactive sessions to Expedited Forwarding
       (EF).
     - Deprecate support for IPv4 type-of-service (TOS) IPQoS keywords.
     - Make ssh(1) and sshd(8) set IP QoS (aka IP_TOS, IPV6_TCLASS)
       continually at runtime based on what sessions/channels are open.
     - Correctly set extended type for client-side channels.  Fixes
       interactive vs bulk IPQoS for client->server traffic.
Checksums-Sha1:
 3b38ed2d7f6c89a3036496d4c193d069753b5865 3895868 openssh-client-dbgsym_10.0p1-7+deb13u3_s390x.deb
 190b2b3436481302fbcf7d74eb23efb1ff9c825d 352168 openssh-client-udeb_10.0p1-7+deb13u3_s390x.udeb
 9c052cc3014604d1331f63f1b3cd0eadc882ae3a 941180 openssh-client_10.0p1-7+deb13u3_s390x.deb
 0addc09b07c1302616357b4cfc3798f6da3414fb 2436416 openssh-server-dbgsym_10.0p1-7+deb13u3_s390x.deb
 ddc2761b308bbae0c9e674046fd0ecfb42ba311b 453268 openssh-server-udeb_10.0p1-7+deb13u3_s390x.udeb
 8cd32ae88adc35c5405bdaf8229caf300a81e7c7 568048 openssh-server_10.0p1-7+deb13u3_s390x.deb
 c89362a489f9bd5b2e42ac091dd09f1d46f8c7ea 171612 openssh-sftp-server-dbgsym_10.0p1-7+deb13u3_s390x.deb
 c923146b5bb38a6c57975bc302f3616964451b27 62368 openssh-sftp-server_10.0p1-7+deb13u3_s390x.deb
 f5a429d4e35f5bd25db34c72f9a12ea5f132a101 2999620 openssh-tests-dbgsym_10.0p1-7+deb13u3_s390x.deb
 00259c0a67ad2b4e7e99cf74d4e5f92af6749103 1012428 openssh-tests_10.0p1-7+deb13u3_s390x.deb
 af7712ebaca66cf71bb3ae5ba83b40fe430e7b4d 18497 openssh_10.0p1-7+deb13u3_s390x-buildd.buildinfo
 5e53dbf21474171c4488b7e39394e0ea1bdef721 16784 ssh-askpass-gnome-dbgsym_10.0p1-7+deb13u3_s390x.deb
 34fb99148cf9e3f2b6baca280abb1b4a593ff12c 157836 ssh-askpass-gnome_10.0p1-7+deb13u3_s390x.deb
Checksums-Sha256:
 87515b71285e95d8834a176af9f70c8ee78a0e6b19a5bef4cc666c311363c2fe 3895868 openssh-client-dbgsym_10.0p1-7+deb13u3_s390x.deb
 be829a2366539bbbe0189a26c7f2b17bd1405896c2c37e9d43329400597ab4e0 352168 openssh-client-udeb_10.0p1-7+deb13u3_s390x.udeb
 3ae1568353eb36b67fa35e5dd5447e3eb2d2ca3cc1da6c748b377755ee371a2a 941180 openssh-client_10.0p1-7+deb13u3_s390x.deb
 f5aa6a087ef7a111d27eab252aa875c83e97335b89a5839c6387cec279307e4d 2436416 openssh-server-dbgsym_10.0p1-7+deb13u3_s390x.deb
 e43d00642c7d24f03584fc1b1bd0a13507017780af4d697455a0b7a281f4ef1b 453268 openssh-server-udeb_10.0p1-7+deb13u3_s390x.udeb
 fd61cb4c5625b9a500ab4414424cb8c07c4536a5ef01b4edd46a88dcbe10021b 568048 openssh-server_10.0p1-7+deb13u3_s390x.deb
 0f690da385f07ff1f36e978039c04604038c9ded21018e945463b0db4dfd0636 171612 openssh-sftp-server-dbgsym_10.0p1-7+deb13u3_s390x.deb
 5389bcd261213ecfae0260b46a7c799cb3bd38f21f2ca9fa5e5fce6aa4ad65b8 62368 openssh-sftp-server_10.0p1-7+deb13u3_s390x.deb
 3a5d37d238fa2407a69facbbfd37b7d398fe5e02cf68f77e83c3952ebc3f683e 2999620 openssh-tests-dbgsym_10.0p1-7+deb13u3_s390x.deb
 6e76591e24b7484d086c60b683cb20b873e062310cec3ad471084856d80f8690 1012428 openssh-tests_10.0p1-7+deb13u3_s390x.deb
 0a2ee3e4dd9507a4143c50e52785634efeae6601a81bbb0600d7d3276cfd1fa0 18497 openssh_10.0p1-7+deb13u3_s390x-buildd.buildinfo
 fc87156c5f707302429266ae90856956d2886f7dc17288334bd1f8a259d2a6e4 16784 ssh-askpass-gnome-dbgsym_10.0p1-7+deb13u3_s390x.deb
 e44161e6908ab53e546f8edae3fe1df71f6de670f20d86fd825c477210648549 157836 ssh-askpass-gnome_10.0p1-7+deb13u3_s390x.deb
Files:
 56d0541de628bfb74bb38bae02bd4673 3895868 debug optional openssh-client-dbgsym_10.0p1-7+deb13u3_s390x.deb
 20576c0f99eac53483c857cb4b5b3ac3 352168 debian-installer optional openssh-client-udeb_10.0p1-7+deb13u3_s390x.udeb
 5b30d2f9db71b5d788dc61e9540c5713 941180 net standard openssh-client_10.0p1-7+deb13u3_s390x.deb
 e53bd94375b8919b8261c5a826c975f2 2436416 debug optional openssh-server-dbgsym_10.0p1-7+deb13u3_s390x.deb
 4a05095451f6f0af6af4c5d294662f6e 453268 debian-installer optional openssh-server-udeb_10.0p1-7+deb13u3_s390x.udeb
 46ae30f86e999753a75cead6548bdf72 568048 net optional openssh-server_10.0p1-7+deb13u3_s390x.deb
 47821109f5b76d29bba9b4e6fb419340 171612 debug optional openssh-sftp-server-dbgsym_10.0p1-7+deb13u3_s390x.deb
 ef195cfd49b46a2f82c5628a636fc1e0 62368 net optional openssh-sftp-server_10.0p1-7+deb13u3_s390x.deb
 eac5749ba70653885af52c30dc0d62b0 2999620 debug optional openssh-tests-dbgsym_10.0p1-7+deb13u3_s390x.deb
 5cbdba24bd4bcc8ac8ee54d9129833fa 1012428 net optional openssh-tests_10.0p1-7+deb13u3_s390x.deb
 bce855ac0417292a86d13004894cc1ad 18497 net standard openssh_10.0p1-7+deb13u3_s390x-buildd.buildinfo
 71c919e99c245fba27cd9cb666631deb 16784 debug optional ssh-askpass-gnome-dbgsym_10.0p1-7+deb13u3_s390x.deb
 86782728be102aaa341a23140f29b4e6 157836 gnome optional ssh-askpass-gnome_10.0p1-7+deb13u3_s390x.deb

-----BEGIN PGP SIGNATURE-----

iQIyBAEBCgAdFiEEgh4msZ+e2PZfd5KckaCrxAR3BY0FAmn6O0oACgkQkaCrxAR3
BY3PgQ/43tPGDFzXh92VtcYf4UF/fX7vIi8BLepa9dljTTQgWXvM0E5c/PmZItXj
SWBvyPmxeXYrUtM1fbfeipiJliDa714Vxa06eNOrMqRl98/ZrR+4o9m4FxXtBJMr
7eckXJ6Gp4bIJoZPkEB3CJYkf0c9oMELJfs489yRn5ztHfIARp1Xpps3T9yGHGSZ
77aTbxSw/gFuEqHPSYYiTuy0EbNXvHe7f0hdyclEGkTWlw8tIOzJpCSJQKfqRjSu
FaTBMgkhyuRB0iMsvf6JnhaDSgm2HsfnFtuXDAVbNYC4xx918BcdNZLKjTLBSL++
xMLf2flbhxNnSEX618szBvTleUX5lCKmNgcJJZovpTL1oa9OTaH5b0ZXdSofeJNN
niFjRCjZ0BpAXQkyUuodw5jT5FxOAVUZ8hdcPdS4sbuQA4g4CNX8KjmRwQZRfxeo
99NIsfMfxmobPOyFlZaHZky9yVlepOvtKUwK1vNy+ci1mr/lHL7k9bTdIZ65xkJ/
YexLioOgDLHrubo3CTfTA99KhKbmmtk8LX5nfnmqei+ac7RAHYnctGZRs+37ti91
cRVPxKMLaI5NdaQ6lbicWvZp8Xui+RKYsIqRhQYFQ4XRqYmuQIYuV46ZugQt+cKO
useM2ZhhOsphSvjktk331OyZSoE0qT0NRSRj9Gt0/AaZ/b3wrQ==
=k481
-----END PGP SIGNATURE-----