-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Tue, 05 May 2026 11:26:56 +0100
Source: openssh
Binary: openssh-client openssh-client-dbgsym openssh-client-udeb openssh-server openssh-server-dbgsym openssh-server-udeb openssh-sftp-server openssh-sftp-server-dbgsym openssh-tests openssh-tests-dbgsym ssh-askpass-gnome ssh-askpass-gnome-dbgsym
Architecture: i386
Version: 1:9.2p1-2+deb12u10
Distribution: bookworm
Urgency: medium
Maintainer: all / amd64 / i386 Build Daemon (x86-conova-02) <buildd_amd64-x86-conova-02@buildd.debian.org>
Changed-By: Colin Watson <cjwatson@debian.org>
Description:
 openssh-client - secure shell (SSH) client, for secure access to remote machines
 openssh-client-udeb - secure shell client for the Debian installer (udeb)
 openssh-server - secure shell (SSH) server, for secure access from remote machines
 openssh-server-udeb - secure shell server for the Debian installer (udeb)
 openssh-sftp-server - secure shell (SSH) sftp server module, for SFTP access from remot
 openssh-tests - OpenSSH regression tests
 ssh-askpass-gnome - interactive X program to prompt users for a passphrase for ssh-ad
Closes: 1132572 1132573 1132574 1132575 1132576
Changes:
 openssh (1:9.2p1-2+deb12u10) bookworm; urgency=medium
 .
   * Backport minor security fixes from 10.3p1:
     - ssh(1): the -J and equivalent -oProxyJump="..." options now validate
       user and host names for ProxyJump/-J options passed via the
       command-line (no such validation is performed for this option in
       configuration files). This prevents shell injection in situations
       where these were directly exposed to adversarial input, which would
       have been a terrible idea to begin with.
     - CVE-2026-35386: ssh(1): validation of shell metacharacters in user
       names supplied on the command-line was performed too late to prevent
       some situations where they could be expanded from %-tokens in
       ssh_config. For certain configurations, such as those that use a "%u"
       token in a "Match exec" block, an attacker who can control the user
       name passed to ssh(1) could potentially execute arbitrary shell
       commands. Reported by Florian Kohnhäuser (closes: #1132573).
       We continue to recommend against directly exposing ssh(1) and other
       tools' command-lines to untrusted input. Mitigations such as this can
       not be absolute given the variety of shells and user configurations in
       use.
     - CVE-2026-35414: sshd(8): when matching an authorized_keys
       principals="" option against a list of principals in a certificate, an
       incorrect algorithm was used that could allow inappropriate matching
       in cases where a principal name in the certificate contains a comma
       character. Exploitation of the condition requires an authorized_keys
       principals="" option that lists more than one principal *and* a CA
       that will issue a certificate that encodes more than one of these
       principal names separated by a comma (typical CAs strongly constrain
       which principal names they will place in a certificate). This
       condition only applies to user- trusted CA keys in authorized_keys,
       the main certificate authentication path
       (TrustedUserCAKeys/AuthorizedPrincipalsFile) is not affected. Reported
       by Vladimir Tokarev (closes: #1132576).
     - CVE-2026-35385: scp(1): when downloading files as root in legacy (-O)
       mode and without the -p (preserve modes) flag set, scp did not clear
       setuid/setgid bits from downloaded files as one might typically
       expect. This bug dates back to the original Berkeley rcp program.
       Reported by Christos Papakonstantinou of Cantina and Spearbit (closes:
       #1132572).
     - CVE-2026-35387: sshd(8): fix incomplete application of
       PubkeyAcceptedAlgorithms and HostbasedAcceptedAlgorithms with regard
       to ECDSA keys. Previously if one of these directives contains any
       ECDSA algorithm name (say "ecdsa-sha2-nistp384"), then any other ECDSA
       algorithm would be accepted in its place regardless of whether it was
       listed or not.  Reported by Christos Papakonstantinou of Cantina and
       Spearbit (closes: #1132574).
     - CVE-2026-35388: ssh(1): connection multiplexing confirmation
       (requested using "ControlMaster ask/autoask") was not being tested for
       proxy mode multiplexing sessions (i.e. "ssh -O proxy ..."). Reported
       by Michalis Vasileiadis (closes: #1132575).
Checksums-Sha1:
 d88c0b8c73d1b5bfa90d56963dc2781d0792f495 3165176 openssh-client-dbgsym_9.2p1-2+deb12u10_i386.deb
 6e0fd219c63e63ed8032937b6949ebdf73368719 354048 openssh-client-udeb_9.2p1-2+deb12u10_i386.udeb
 9a65b88c30c2a65605c938a0361d5b09a43b20b5 1011104 openssh-client_9.2p1-2+deb12u10_i386.deb
 7c1c8f86c51b5db62dd888a0f5aba95972394ad7 781044 openssh-server-dbgsym_9.2p1-2+deb12u10_i386.deb
 d90a13373c6e344ff63015837b51e9c014af1a0e 370908 openssh-server-udeb_9.2p1-2+deb12u10_i386.udeb
 467b30f0bf49e2eb03f59c757b9b1e45d49bac87 465464 openssh-server_9.2p1-2+deb12u10_i386.deb
 3aa88b5c83045b304eaaae0157fe6aa8fb9ff579 140648 openssh-sftp-server-dbgsym_9.2p1-2+deb12u10_i386.deb
 53ed1413b5cc670570bd706e47aa0b5ea7a82c8b 70188 openssh-sftp-server_9.2p1-2+deb12u10_i386.deb
 8fe7cbad55b64a165d9e60a12255eaa7f2b5a436 2386708 openssh-tests-dbgsym_9.2p1-2+deb12u10_i386.deb
 cd598a983aa445d721fb4c06904a03e0a61a5ab0 1024488 openssh-tests_9.2p1-2+deb12u10_i386.deb
 f1e37bcdab1bf5621e84922cbbe32457908e40b7 18767 openssh_9.2p1-2+deb12u10_i386-buildd.buildinfo
 70c9dc7ef28a98a122eb25faccc285e9ab25b9fe 16096 ssh-askpass-gnome-dbgsym_9.2p1-2+deb12u10_i386.deb
 941e64adb39e288fd7c89953da1fc45df25205e8 189324 ssh-askpass-gnome_9.2p1-2+deb12u10_i386.deb
Checksums-Sha256:
 8014ed14d7e0da46923fe83055a838591cf0bbb54552dd147f01f38962c21bba 3165176 openssh-client-dbgsym_9.2p1-2+deb12u10_i386.deb
 574b39f14dc7174929eb1da61d387da669d7028a8ea30c2577149c7ccca07bbb 354048 openssh-client-udeb_9.2p1-2+deb12u10_i386.udeb
 df876e63ccac80f2391f715fcf691bbc5d921d8d0c7458f446a36b01b43019b8 1011104 openssh-client_9.2p1-2+deb12u10_i386.deb
 4ebef8b0f7e963b6f28ae67f3c5f11d6c820bd7a61cc405dacc9bbe95e9a4785 781044 openssh-server-dbgsym_9.2p1-2+deb12u10_i386.deb
 2cfad0566e5d64d5418c19e983ace139eb6c0641bf201265e048cb9d3f626838 370908 openssh-server-udeb_9.2p1-2+deb12u10_i386.udeb
 3dfe7e884a16c07f24d2ebb5784cf13a6b4991c8fab75abb187b5a331e82c602 465464 openssh-server_9.2p1-2+deb12u10_i386.deb
 0c29fb8b112abe7ca7504e731214a68d8b6d83bd0b79528a93febd128590461e 140648 openssh-sftp-server-dbgsym_9.2p1-2+deb12u10_i386.deb
 81ca26bbdc9e4625949e65ea06002dc59dffae1614c7ff29e1eb289fae8272a3 70188 openssh-sftp-server_9.2p1-2+deb12u10_i386.deb
 043eda6fb51de292629fe99f133b3675f808a307c27a004881b4bb4c11203194 2386708 openssh-tests-dbgsym_9.2p1-2+deb12u10_i386.deb
 57dae3a76af6a21d08ed7a683625d47ccb2ce4bcc3646fd968d59335eb4def28 1024488 openssh-tests_9.2p1-2+deb12u10_i386.deb
 468df928c5d8a69f8ba567a08bbaa986901c5ed392697ae8c2cefca41143187a 18767 openssh_9.2p1-2+deb12u10_i386-buildd.buildinfo
 b976e4a9af3bcba22443970f53a8f101a6cf5736f6ce80ddd6c32a5cfee70ae0 16096 ssh-askpass-gnome-dbgsym_9.2p1-2+deb12u10_i386.deb
 bb5d56b376ef8b0c3df97a654678865dc2f8ba38f2d571ff6ba51c8578d6c11e 189324 ssh-askpass-gnome_9.2p1-2+deb12u10_i386.deb
Files:
 1ad4ff0eb11438900a555d69d4ed13f2 3165176 debug optional openssh-client-dbgsym_9.2p1-2+deb12u10_i386.deb
 db9f7c2e48216161d08ff5cbb94bc5c5 354048 debian-installer optional openssh-client-udeb_9.2p1-2+deb12u10_i386.udeb
 801bdbae070d5f0fc07693682818428d 1011104 net standard openssh-client_9.2p1-2+deb12u10_i386.deb
 9a832e4fc41f4a27076307b638bcce92 781044 debug optional openssh-server-dbgsym_9.2p1-2+deb12u10_i386.deb
 69ad719d036e0613474fc5f1478c62f6 370908 debian-installer optional openssh-server-udeb_9.2p1-2+deb12u10_i386.udeb
 52ee3525985dc589bfa83e3b664ee691 465464 net optional openssh-server_9.2p1-2+deb12u10_i386.deb
 dd75f3865a911d9932f2e2ced1175d0b 140648 debug optional openssh-sftp-server-dbgsym_9.2p1-2+deb12u10_i386.deb
 99733d505e2ba44b0f6e661491c245e2 70188 net optional openssh-sftp-server_9.2p1-2+deb12u10_i386.deb
 05d483302736628572fb3cb09916e71c 2386708 debug optional openssh-tests-dbgsym_9.2p1-2+deb12u10_i386.deb
 4f7a247a7d30bad617c2acca4f6ff0b2 1024488 net optional openssh-tests_9.2p1-2+deb12u10_i386.deb
 34141d568ca00d74336c462e2a8f6d70 18767 net standard openssh_9.2p1-2+deb12u10_i386-buildd.buildinfo
 8ddcc33c80f29c604ae57c33cd079bd8 16096 debug optional ssh-askpass-gnome-dbgsym_9.2p1-2+deb12u10_i386.deb
 16366f10ed31a6ad7313832ea456dfc1 189324 gnome optional ssh-askpass-gnome_9.2p1-2+deb12u10_i386.deb

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEE+i/sCsF3puL4e7qIGNGWmfrqILEFAmn6PTIACgkQGNGWmfrq
ILF5eRAAxbn7GygFsAinTElUOxKbMI0dJtJDfXqq9SSHicZnZlj2CXRb3QcFPmBT
GsYwuyTE5bppXa901y2fStoVX28f9a+kolZ6oDYxXWA6r6APEbPy/oSjNE7UR/ek
ojI0BHLIPisTs0bvAFsWof77sQlhirNgeD2r6GGQG89Fq6pZNzIiiEZKX206bv4L
tIgKtM0t4OM28PC+K9K7zsntVuFKkpVukOX7TRRPKKBA0o2MtM1RN8wgxGItZeFC
tInDo+ic12WpbXBAjhNYfr5ImUNS74x7BE3hsTodmbdEE9E5j04YnUDeHBeKVNGw
UEXw0wERTyq8hqr8rnQrsNTpwrI6I5t8lDTatje7Z0Q/Zb1dxKlNk9UoALaxIgPd
AfgRzqYplZ33SqGzDbZNSAoHJnFsbOQcdS7ainTTakl7i+9pHYRcLAZJjGmlZ1OL
Ta6y93WKB4OuvzNtH3L20aUYpzxv7MQ9nWEHGvhzuLwELYh6Co9PHzRbLNFoa2k6
Lcw8U63jcYHB2HgG9vF3FtrHjhsmMAxXi0JFT4Lpbt3ixELrIostkOdy2eNW/Yzx
Jcl/Daw7vAta/gOVF6b80SMGWKUygXYwZZdRX59DkN97ciecnt/M21U2egYsAIjU
O2rDzviciD8XvUGleyqw3ip1rEqubiq+RwZtfmJgMDaNvHEb3UM=
=75/c
-----END PGP SIGNATURE-----