-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Tue, 05 May 2026 11:26:56 +0100
Source: openssh
Binary: openssh-client openssh-client-dbgsym openssh-client-udeb openssh-server openssh-server-dbgsym openssh-server-udeb openssh-sftp-server openssh-sftp-server-dbgsym openssh-tests openssh-tests-dbgsym ssh-askpass-gnome ssh-askpass-gnome-dbgsym
Architecture: mips64el
Version: 1:9.2p1-2+deb12u10
Distribution: bookworm
Urgency: medium
Maintainer: mipsel Build Daemon (mipsel-osuosl-03) <buildd_mips64el-mipsel-osuosl-03@buildd.debian.org>
Changed-By: Colin Watson <cjwatson@debian.org>
Description:
 openssh-client - secure shell (SSH) client, for secure access to remote machines
 openssh-client-udeb - secure shell client for the Debian installer (udeb)
 openssh-server - secure shell (SSH) server, for secure access from remote machines
 openssh-server-udeb - secure shell server for the Debian installer (udeb)
 openssh-sftp-server - secure shell (SSH) sftp server module, for SFTP access from remot
 openssh-tests - OpenSSH regression tests
 ssh-askpass-gnome - interactive X program to prompt users for a passphrase for ssh-ad
Closes: 1132572 1132573 1132574 1132575 1132576
Changes:
 openssh (1:9.2p1-2+deb12u10) bookworm; urgency=medium
 .
   * Backport minor security fixes from 10.3p1:
     - ssh(1): the -J and equivalent -oProxyJump="..." options now validate
       user and host names for ProxyJump/-J options passed via the
       command-line (no such validation is performed for this option in
       configuration files). This prevents shell injection in situations
       where these were directly exposed to adversarial input, which would
       have been a terrible idea to begin with.
     - CVE-2026-35386: ssh(1): validation of shell metacharacters in user
       names supplied on the command-line was performed too late to prevent
       some situations where they could be expanded from %-tokens in
       ssh_config. For certain configurations, such as those that use a "%u"
       token in a "Match exec" block, an attacker who can control the user
       name passed to ssh(1) could potentially execute arbitrary shell
       commands. Reported by Florian Kohnhäuser (closes: #1132573).
       We continue to recommend against directly exposing ssh(1) and other
       tools' command-lines to untrusted input. Mitigations such as this can
       not be absolute given the variety of shells and user configurations in
       use.
     - CVE-2026-35414: sshd(8): when matching an authorized_keys
       principals="" option against a list of principals in a certificate, an
       incorrect algorithm was used that could allow inappropriate matching
       in cases where a principal name in the certificate contains a comma
       character. Exploitation of the condition requires an authorized_keys
       principals="" option that lists more than one principal *and* a CA
       that will issue a certificate that encodes more than one of these
       principal names separated by a comma (typical CAs strongly constrain
       which principal names they will place in a certificate). This
       condition only applies to user- trusted CA keys in authorized_keys,
       the main certificate authentication path
       (TrustedUserCAKeys/AuthorizedPrincipalsFile) is not affected. Reported
       by Vladimir Tokarev (closes: #1132576).
     - CVE-2026-35385: scp(1): when downloading files as root in legacy (-O)
       mode and without the -p (preserve modes) flag set, scp did not clear
       setuid/setgid bits from downloaded files as one might typically
       expect. This bug dates back to the original Berkeley rcp program.
       Reported by Christos Papakonstantinou of Cantina and Spearbit (closes:
       #1132572).
     - CVE-2026-35387: sshd(8): fix incomplete application of
       PubkeyAcceptedAlgorithms and HostbasedAcceptedAlgorithms with regard
       to ECDSA keys. Previously if one of these directives contains any
       ECDSA algorithm name (say "ecdsa-sha2-nistp384"), then any other ECDSA
       algorithm would be accepted in its place regardless of whether it was
       listed or not.  Reported by Christos Papakonstantinou of Cantina and
       Spearbit (closes: #1132574).
     - CVE-2026-35388: ssh(1): connection multiplexing confirmation
       (requested using "ControlMaster ask/autoask") was not being tested for
       proxy mode multiplexing sessions (i.e. "ssh -O proxy ..."). Reported
       by Michalis Vasileiadis (closes: #1132575).
Checksums-Sha1:
 d6a21d1d75b1ebc3486572b489ffd38a3b0ec9fb 3725756 openssh-client-dbgsym_9.2p1-2+deb12u10_mips64el.deb
 f1f32080ea4ad8417b6bd973c440ec56ffe1e883 343316 openssh-client-udeb_9.2p1-2+deb12u10_mips64el.udeb
 f025068b30d43f09f7ce28bc2f75329e734b9221 926940 openssh-client_9.2p1-2+deb12u10_mips64el.deb
 b99dbea2dc1bcf1df164a41aec4c17a31f0736ff 976780 openssh-server-dbgsym_9.2p1-2+deb12u10_mips64el.deb
 2ab89128073806b7cb3ac1fefadd754955c9d0ce 360276 openssh-server-udeb_9.2p1-2+deb12u10_mips64el.udeb
 b8fec05f0ba45382c332b29f59f3af7b0f3e56ae 395096 openssh-server_9.2p1-2+deb12u10_mips64el.deb
 00b370d3a474daa9e173607c5354b59c9498b691 172628 openssh-sftp-server-dbgsym_9.2p1-2+deb12u10_mips64el.deb
 2561cc8767e7d83f0ed6a7554543a08fee29b308 58488 openssh-sftp-server_9.2p1-2+deb12u10_mips64el.deb
 ccf10559482d8786b2d91d50b0ac9e82a319ded0 2942752 openssh-tests-dbgsym_9.2p1-2+deb12u10_mips64el.deb
 250e05c8031d7a11f8d1dcc569eeddb31975a6d0 1056872 openssh-tests_9.2p1-2+deb12u10_mips64el.deb
 92aa6ca220abc60590fc050b635e91e6917edd1a 18704 openssh_9.2p1-2+deb12u10_mips64el-buildd.buildinfo
 59551fcd4be950758f72fa52a7cd8ae15410daa0 17664 ssh-askpass-gnome-dbgsym_9.2p1-2+deb12u10_mips64el.deb
 f5275da05a285ad0bba6268b9324e348c309bb87 189212 ssh-askpass-gnome_9.2p1-2+deb12u10_mips64el.deb
Checksums-Sha256:
 5c2fecc3a50f7e4932dd140092f2ec9f922b63220848b891dedfd63b79b4bc0e 3725756 openssh-client-dbgsym_9.2p1-2+deb12u10_mips64el.deb
 73cbc7f629ff4ea4e65f9552b3a41deaed8a23dab3f74a01affc0b4c18c3f874 343316 openssh-client-udeb_9.2p1-2+deb12u10_mips64el.udeb
 a1bd7589342aa9aa1495f53c01945d1f66f2b7387f659cb016632207237c2ff4 926940 openssh-client_9.2p1-2+deb12u10_mips64el.deb
 649225a7ba5318b961e8e82ea2723858d310bac36c8b2bba0afd03f7166d9419 976780 openssh-server-dbgsym_9.2p1-2+deb12u10_mips64el.deb
 7c72b217a67420a859b0b9702f324bfba2c8ee344ef50a6e3ba3da077e5601e4 360276 openssh-server-udeb_9.2p1-2+deb12u10_mips64el.udeb
 cdc0760aee58faf23627f5f13fb2c0a3f4d6115f3e60f8ba93c915ef9d81afaf 395096 openssh-server_9.2p1-2+deb12u10_mips64el.deb
 eca90902fdaa57f656bdbd6dc001812db9768fd2e00143fc24e05e8776bb7841 172628 openssh-sftp-server-dbgsym_9.2p1-2+deb12u10_mips64el.deb
 79d16904d386a52c912d876d5424d032b75dd3f30e254d821dbb7f276fa14e2c 58488 openssh-sftp-server_9.2p1-2+deb12u10_mips64el.deb
 33da7392e341aa165f87069f935876ae6df15f27028cdb2f18ad962c848c2ec0 2942752 openssh-tests-dbgsym_9.2p1-2+deb12u10_mips64el.deb
 e1a05bb54d5178c3aa912c2141bea60a1a1d9c0d562c9c01a064ab41e50d2f36 1056872 openssh-tests_9.2p1-2+deb12u10_mips64el.deb
 e8b6e852f22a8491e85bd2667ea5b25c844f324daefdac5988f5009ff99fd203 18704 openssh_9.2p1-2+deb12u10_mips64el-buildd.buildinfo
 44e73465c8358da8b47057da716734d2792cf6617472be961646bc44e1df25f9 17664 ssh-askpass-gnome-dbgsym_9.2p1-2+deb12u10_mips64el.deb
 ec715883cce692a75a5bd7fa68c7a8dd68d0de93e236a45008a99e72eabfac81 189212 ssh-askpass-gnome_9.2p1-2+deb12u10_mips64el.deb
Files:
 27aecbd681eb21c4d32a9cc38bbb9016 3725756 debug optional openssh-client-dbgsym_9.2p1-2+deb12u10_mips64el.deb
 eaffe9a9a1bb26bccdd6c688137b2aa1 343316 debian-installer optional openssh-client-udeb_9.2p1-2+deb12u10_mips64el.udeb
 f97a48a8b000259b1d07d8b02585a47f 926940 net standard openssh-client_9.2p1-2+deb12u10_mips64el.deb
 7da0e83a538bbafe54eb8653dec497cd 976780 debug optional openssh-server-dbgsym_9.2p1-2+deb12u10_mips64el.deb
 2a295118011a4c7622fbff04411dd163 360276 debian-installer optional openssh-server-udeb_9.2p1-2+deb12u10_mips64el.udeb
 3d85092a6f8622d0ce55c59a7a03cde7 395096 net optional openssh-server_9.2p1-2+deb12u10_mips64el.deb
 46d578f7bada7c8460d87aa43c1a1b41 172628 debug optional openssh-sftp-server-dbgsym_9.2p1-2+deb12u10_mips64el.deb
 93d086ab8271ed15e4879c7e886c6154 58488 net optional openssh-sftp-server_9.2p1-2+deb12u10_mips64el.deb
 03b74a75d1c01ad405269c65d273417d 2942752 debug optional openssh-tests-dbgsym_9.2p1-2+deb12u10_mips64el.deb
 5a8226d42dff127d6fe2037d1e912b83 1056872 net optional openssh-tests_9.2p1-2+deb12u10_mips64el.deb
 b8b50acba9cf985b4bf9672ffd278082 18704 net standard openssh_9.2p1-2+deb12u10_mips64el-buildd.buildinfo
 465cabee8c4bcd524c04fe6622bc4f05 17664 debug optional ssh-askpass-gnome-dbgsym_9.2p1-2+deb12u10_mips64el.deb
 adf0a2a599d80443dd336a97ae3ae8b0 189212 gnome optional ssh-askpass-gnome_9.2p1-2+deb12u10_mips64el.deb

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEE7sd7jtCtE5bBJ1Hx/qmHKZssfSAFAmn6PzYACgkQ/qmHKZss
fSDQkhAA2KD12y45YeJYeQP3M6bsACBu2kJoP64OP0pkmy5/LYsUuF6cJQg4JYAu
Ab0Kq9LlL2u5ECo8gBIhnRz0rQFTLVi3UTOI7Fc9JiDf22+kmt5iNz8xIa7Ffcd2
kroUk74N245oKx8G+64ucewngoWESgJQj0xdCLjpp3N/V1oxG1wg60F0QScP8DBH
AV9TUBIGKnOXGreqws8KM1UVRugDnA5+UrzPXwq9Tj5tMvBZq4jPLKQ3vNmBzmdH
qS9w+/Aozj2jRra3A3nv74v+p/1YqanDa9EReG7msSfwH3QBfsf63B3biWaiNrKN
1NDmE9PcSsiDRD0ZKD8t8A9VQqxxJDm/TVztM8puv3I20sIG6nU627YUjrvMHXT2
L4mmWY4vtxlGG4tciVV+ZEvCxuRYSiIvVcNH+7WR/alexsf8dFshwzc9mHT0BNjt
atEuQi9NAFUHw/4qgwCGkRsE/ja7JnpxgB0gz2NYfexR4YlYAoEjY7/sHmd3lXom
w0lKaZ5/qPEtr8NKen60/VKX8aepQq/7RxOBliku7NiPBBKgsDpzHRnwpFFQnXzJ
WtfK/EhgNNpK/yOcQBKAafMSKzAsaRZoIp1MKl0+ihSObloYechojOBQtRFuJPz9
FccvcVBl1B6Pq44hGv0UWtUrWtdo5EB4kapILaOIzWB20bTQDW0=
=wzPH
-----END PGP SIGNATURE-----