-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Tue, 05 May 2026 11:26:56 +0100
Source: openssh
Binary: openssh-client openssh-client-dbgsym openssh-client-udeb openssh-server openssh-server-dbgsym openssh-server-udeb openssh-sftp-server openssh-sftp-server-dbgsym openssh-tests openssh-tests-dbgsym ssh-askpass-gnome ssh-askpass-gnome-dbgsym
Architecture: mipsel
Version: 1:9.2p1-2+deb12u10
Distribution: bookworm
Urgency: medium
Maintainer: mipsel Build Daemon (mipsel-osuosl-04) <buildd_mips64el-mipsel-osuosl-04@buildd.debian.org>
Changed-By: Colin Watson <cjwatson@debian.org>
Description:
 openssh-client - secure shell (SSH) client, for secure access to remote machines
 openssh-client-udeb - secure shell client for the Debian installer (udeb)
 openssh-server - secure shell (SSH) server, for secure access from remote machines
 openssh-server-udeb - secure shell server for the Debian installer (udeb)
 openssh-sftp-server - secure shell (SSH) sftp server module, for SFTP access from remot
 openssh-tests - OpenSSH regression tests
 ssh-askpass-gnome - interactive X program to prompt users for a passphrase for ssh-ad
Closes: 1132572 1132573 1132574 1132575 1132576
Changes:
 openssh (1:9.2p1-2+deb12u10) bookworm; urgency=medium
 .
   * Backport minor security fixes from 10.3p1:
     - ssh(1): the -J and equivalent -oProxyJump="..." options now validate
       user and host names for ProxyJump/-J options passed via the
       command-line (no such validation is performed for this option in
       configuration files). This prevents shell injection in situations
       where these were directly exposed to adversarial input, which would
       have been a terrible idea to begin with.
     - CVE-2026-35386: ssh(1): validation of shell metacharacters in user
       names supplied on the command-line was performed too late to prevent
       some situations where they could be expanded from %-tokens in
       ssh_config. For certain configurations, such as those that use a "%u"
       token in a "Match exec" block, an attacker who can control the user
       name passed to ssh(1) could potentially execute arbitrary shell
       commands. Reported by Florian Kohnhäuser (closes: #1132573).
       We continue to recommend against directly exposing ssh(1) and other
       tools' command-lines to untrusted input. Mitigations such as this can
       not be absolute given the variety of shells and user configurations in
       use.
     - CVE-2026-35414: sshd(8): when matching an authorized_keys
       principals="" option against a list of principals in a certificate, an
       incorrect algorithm was used that could allow inappropriate matching
       in cases where a principal name in the certificate contains a comma
       character. Exploitation of the condition requires an authorized_keys
       principals="" option that lists more than one principal *and* a CA
       that will issue a certificate that encodes more than one of these
       principal names separated by a comma (typical CAs strongly constrain
       which principal names they will place in a certificate). This
       condition only applies to user- trusted CA keys in authorized_keys,
       the main certificate authentication path
       (TrustedUserCAKeys/AuthorizedPrincipalsFile) is not affected. Reported
       by Vladimir Tokarev (closes: #1132576).
     - CVE-2026-35385: scp(1): when downloading files as root in legacy (-O)
       mode and without the -p (preserve modes) flag set, scp did not clear
       setuid/setgid bits from downloaded files as one might typically
       expect. This bug dates back to the original Berkeley rcp program.
       Reported by Christos Papakonstantinou of Cantina and Spearbit (closes:
       #1132572).
     - CVE-2026-35387: sshd(8): fix incomplete application of
       PubkeyAcceptedAlgorithms and HostbasedAcceptedAlgorithms with regard
       to ECDSA keys. Previously if one of these directives contains any
       ECDSA algorithm name (say "ecdsa-sha2-nistp384"), then any other ECDSA
       algorithm would be accepted in its place regardless of whether it was
       listed or not.  Reported by Christos Papakonstantinou of Cantina and
       Spearbit (closes: #1132574).
     - CVE-2026-35388: ssh(1): connection multiplexing confirmation
       (requested using "ControlMaster ask/autoask") was not being tested for
       proxy mode multiplexing sessions (i.e. "ssh -O proxy ..."). Reported
       by Michalis Vasileiadis (closes: #1132575).
Checksums-Sha1:
 967e5348acf0d574ffba7307681b44abb3ed2382 3649112 openssh-client-dbgsym_9.2p1-2+deb12u10_mipsel.deb
 6362c7f9d8ba0a28a8aeaa7bc9be6bb8b72453fe 357336 openssh-client-udeb_9.2p1-2+deb12u10_mipsel.udeb
 9ed50d002b9463d0ab66bf94bc6b4ddfab11667c 950604 openssh-client_9.2p1-2+deb12u10_mipsel.deb
 73f815dbfc7cabd0bb9ad30c4456494a896acf53 953416 openssh-server-dbgsym_9.2p1-2+deb12u10_mipsel.deb
 63bbf8c33ff9d36aad85efe1a90b2b6cd54cac34 375880 openssh-server-udeb_9.2p1-2+deb12u10_mipsel.udeb
 c4aeac3c8451d5846ed19e74f2682e39c1beeef4 410180 openssh-server_9.2p1-2+deb12u10_mipsel.deb
 a587081e4b4c0362ae7285fa02c9814e09880d6b 171208 openssh-sftp-server-dbgsym_9.2p1-2+deb12u10_mipsel.deb
 8c0b9c67fd2ed2e48ee5dd8dfc1e2a4992f4fc0f 62792 openssh-sftp-server_9.2p1-2+deb12u10_mipsel.deb
 8705f4a473963955e5b1fdbdb0c58eaecb7dd007 2888124 openssh-tests-dbgsym_9.2p1-2+deb12u10_mipsel.deb
 05ac71c73a5674126b640bd229886e6d04663028 1065624 openssh-tests_9.2p1-2+deb12u10_mipsel.deb
 c3ab73de7fc159f1be1728b3c52516e3ae016176 18621 openssh_9.2p1-2+deb12u10_mipsel-buildd.buildinfo
 73032b3fccfd5018bd5b372c05db746987ffd482 17412 ssh-askpass-gnome-dbgsym_9.2p1-2+deb12u10_mipsel.deb
 5d7a8619a5803eb583b0638db4350e515edf9c5b 189124 ssh-askpass-gnome_9.2p1-2+deb12u10_mipsel.deb
Checksums-Sha256:
 cfeeb05f599a61067078467aef88e81d0f49c169461c8b99a0b85ca582e10334 3649112 openssh-client-dbgsym_9.2p1-2+deb12u10_mipsel.deb
 13817f83e1e2cec20224794fb68c959113db2453676e98883c3be34e2dc3a77f 357336 openssh-client-udeb_9.2p1-2+deb12u10_mipsel.udeb
 c761917297cfc1aeb388f72a6b9b8a8b3ec1b69dc142082b37cd25d2ac0dfad9 950604 openssh-client_9.2p1-2+deb12u10_mipsel.deb
 8e2f9c2d4fff743338046b469f5b1608a6d41b5fc3594db6b3798e27acfd9563 953416 openssh-server-dbgsym_9.2p1-2+deb12u10_mipsel.deb
 faa4f9174f042a623a1599d16d9408f70368423b4ab188419f75b9e4cc5e4fc1 375880 openssh-server-udeb_9.2p1-2+deb12u10_mipsel.udeb
 f816489172ac21a4e886a5c4da4633717c60c575086e8c835d9eda82a0d99fec 410180 openssh-server_9.2p1-2+deb12u10_mipsel.deb
 73321f86d088544da0a197f62f01dbe8494d0dce31e39601c168505b3e22c2ff 171208 openssh-sftp-server-dbgsym_9.2p1-2+deb12u10_mipsel.deb
 ba356bdd89fe3bba7d1e0ccc70cf6138d59e368907c47fa8122e7e133884703c 62792 openssh-sftp-server_9.2p1-2+deb12u10_mipsel.deb
 9952f15de8a5aa52f5eaf066e6a2401e689fd7ddd2740e1c9c1942466a4d399c 2888124 openssh-tests-dbgsym_9.2p1-2+deb12u10_mipsel.deb
 56dd6bdf20d4607be9d0e10d821887db8ab9afe08cbbae5b46bfdf2bf684ae38 1065624 openssh-tests_9.2p1-2+deb12u10_mipsel.deb
 194b6b2f21252d67c737b716fdee6c88037bd99b3a7e55b2b70559adb7a8453e 18621 openssh_9.2p1-2+deb12u10_mipsel-buildd.buildinfo
 e77f06d89fa383e3a33023f2f11fb25e9ebb85efde8f4f3745067277469c0d11 17412 ssh-askpass-gnome-dbgsym_9.2p1-2+deb12u10_mipsel.deb
 8f7ba1fdc15de97008249435cf346b81607b836bb958946fe5d41374a471d629 189124 ssh-askpass-gnome_9.2p1-2+deb12u10_mipsel.deb
Files:
 de524ad0b6a6a13e3324d4ea51761467 3649112 debug optional openssh-client-dbgsym_9.2p1-2+deb12u10_mipsel.deb
 1aaef6cca3c52a2e285db7ab80abc602 357336 debian-installer optional openssh-client-udeb_9.2p1-2+deb12u10_mipsel.udeb
 b5e246a546dbf166831134fa7cb6f36b 950604 net standard openssh-client_9.2p1-2+deb12u10_mipsel.deb
 5c60f5e9c9e1b48027ee5b96a24ecba3 953416 debug optional openssh-server-dbgsym_9.2p1-2+deb12u10_mipsel.deb
 316e14e62c509556c552036c950e0530 375880 debian-installer optional openssh-server-udeb_9.2p1-2+deb12u10_mipsel.udeb
 d9ae570cad6c7cc5e98330367ae2bf81 410180 net optional openssh-server_9.2p1-2+deb12u10_mipsel.deb
 f6cd0b631dd1863cf4d48e416e6dad46 171208 debug optional openssh-sftp-server-dbgsym_9.2p1-2+deb12u10_mipsel.deb
 3d43ca838c78774e750ddc533868c9af 62792 net optional openssh-sftp-server_9.2p1-2+deb12u10_mipsel.deb
 319fb5c7bc6bd404f18df58020a57890 2888124 debug optional openssh-tests-dbgsym_9.2p1-2+deb12u10_mipsel.deb
 41f19079d3092b9939af1a4ee5f61566 1065624 net optional openssh-tests_9.2p1-2+deb12u10_mipsel.deb
 13d630d18abd4c8ca3178b372f624ce9 18621 net standard openssh_9.2p1-2+deb12u10_mipsel-buildd.buildinfo
 4521ca76c68d9eb8b66c42288ec9e4d2 17412 debug optional ssh-askpass-gnome-dbgsym_9.2p1-2+deb12u10_mipsel.deb
 99c4ebdd47617ec8f2a3a83dcb4d0711 189124 gnome optional ssh-askpass-gnome_9.2p1-2+deb12u10_mipsel.deb

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEyYUQCyzsgu940OiVpwP2OD8jZaoFAmn6RbAACgkQpwP2OD8j
ZarRhA/+KIW1RhU1hRnCQgsXSUe9LlQw/y4o2ijKLh566E4QIma0nbX+jPLo3V8t
IE3cVNcP/zlNNsiJXRi7abGdt5/pyBb+5yHW7nMQFlBAWBIAbED+Fu+M90N5gQQD
ktoJxR3WuA6YWmfzbTf7AQatcET8VVgzzyFF99AC5Gmc5GIce3QWft2NhAyf5s0Y
z3iaZyIejnt2kISITSrpciFvfd+VAW0zEqR7MApX0kSKjPgh2ubSELnKGF7GEr++
NtztX9UMbdjhY2Xsuayv8s2D09lFzDu1COtxocBPC/5BCSQRs4XTB2UFyJMSDM1n
3rXQmdaeDzn3CglzBbvdj0aLRD/gXtph6Nhadm/nvka9cpdjwUDn1LSxY/MYc0gu
SYF/kKq6I8mpOxJHwDYz+WtD+CU5qJcZVHH9FztnksZzd3Gf+cLJXNDz2fuzDsyc
wfbd2JaX8XsWzuBg/sA1EiJoQFwyecmQHmlEbTD61qw0tnEF0FofCugCfW0pfUMu
USRA1YtUAudYPb4lJbWVzj2Tf+m5dLG2b3nKRRDM6knUDEZoL/fHm9PngnOXwcdg
9g9kP9Hydk9cuipgc88q9Fkvl5Yk7XXqNVN5mgtzHgh8frJiMdaGWfnFzT7QKlWR
L/eqgvqevYHG05mcBVAEfMigLnG0qNkv3ENZ2wmF9F0m1vPCui0=
=qpPv
-----END PGP SIGNATURE-----