-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Tue, 05 May 2026 11:26:56 +0100
Source: openssh
Binary: openssh-client openssh-client-dbgsym openssh-client-udeb openssh-server openssh-server-dbgsym openssh-server-udeb openssh-sftp-server openssh-sftp-server-dbgsym openssh-tests openssh-tests-dbgsym ssh-askpass-gnome ssh-askpass-gnome-dbgsym
Architecture: ppc64el
Version: 1:9.2p1-2+deb12u10
Distribution: bookworm
Urgency: medium
Maintainer: ppc64el Build Daemon (ppc64el-osuosl-02) <buildd_ppc64el-ppc64el-osuosl-02@buildd.debian.org>
Changed-By: Colin Watson <cjwatson@debian.org>
Description:
 openssh-client - secure shell (SSH) client, for secure access to remote machines
 openssh-client-udeb - secure shell client for the Debian installer (udeb)
 openssh-server - secure shell (SSH) server, for secure access from remote machines
 openssh-server-udeb - secure shell server for the Debian installer (udeb)
 openssh-sftp-server - secure shell (SSH) sftp server module, for SFTP access from remot
 openssh-tests - OpenSSH regression tests
 ssh-askpass-gnome - interactive X program to prompt users for a passphrase for ssh-ad
Closes: 1132572 1132573 1132574 1132575 1132576
Changes:
 openssh (1:9.2p1-2+deb12u10) bookworm; urgency=medium
 .
   * Backport minor security fixes from 10.3p1:
     - ssh(1): the -J and equivalent -oProxyJump="..." options now validate
       user and host names for ProxyJump/-J options passed via the
       command-line (no such validation is performed for this option in
       configuration files). This prevents shell injection in situations
       where these were directly exposed to adversarial input, which would
       have been a terrible idea to begin with.
     - CVE-2026-35386: ssh(1): validation of shell metacharacters in user
       names supplied on the command-line was performed too late to prevent
       some situations where they could be expanded from %-tokens in
       ssh_config. For certain configurations, such as those that use a "%u"
       token in a "Match exec" block, an attacker who can control the user
       name passed to ssh(1) could potentially execute arbitrary shell
       commands. Reported by Florian Kohnhäuser (closes: #1132573).
       We continue to recommend against directly exposing ssh(1) and other
       tools' command-lines to untrusted input. Mitigations such as this can
       not be absolute given the variety of shells and user configurations in
       use.
     - CVE-2026-35414: sshd(8): when matching an authorized_keys
       principals="" option against a list of principals in a certificate, an
       incorrect algorithm was used that could allow inappropriate matching
       in cases where a principal name in the certificate contains a comma
       character. Exploitation of the condition requires an authorized_keys
       principals="" option that lists more than one principal *and* a CA
       that will issue a certificate that encodes more than one of these
       principal names separated by a comma (typical CAs strongly constrain
       which principal names they will place in a certificate). This
       condition only applies to user- trusted CA keys in authorized_keys,
       the main certificate authentication path
       (TrustedUserCAKeys/AuthorizedPrincipalsFile) is not affected. Reported
       by Vladimir Tokarev (closes: #1132576).
     - CVE-2026-35385: scp(1): when downloading files as root in legacy (-O)
       mode and without the -p (preserve modes) flag set, scp did not clear
       setuid/setgid bits from downloaded files as one might typically
       expect. This bug dates back to the original Berkeley rcp program.
       Reported by Christos Papakonstantinou of Cantina and Spearbit (closes:
       #1132572).
     - CVE-2026-35387: sshd(8): fix incomplete application of
       PubkeyAcceptedAlgorithms and HostbasedAcceptedAlgorithms with regard
       to ECDSA keys. Previously if one of these directives contains any
       ECDSA algorithm name (say "ecdsa-sha2-nistp384"), then any other ECDSA
       algorithm would be accepted in its place regardless of whether it was
       listed or not.  Reported by Christos Papakonstantinou of Cantina and
       Spearbit (closes: #1132574).
     - CVE-2026-35388: ssh(1): connection multiplexing confirmation
       (requested using "ControlMaster ask/autoask") was not being tested for
       proxy mode multiplexing sessions (i.e. "ssh -O proxy ..."). Reported
       by Michalis Vasileiadis (closes: #1132575).
Checksums-Sha1:
 b2ee843779339fddf30d21138ba5fb45d51e14f5 3670492 openssh-client-dbgsym_9.2p1-2+deb12u10_ppc64el.deb
 38654f85d9b99de38d368cfdb7051aabb99d050a 349476 openssh-client-udeb_9.2p1-2+deb12u10_ppc64el.udeb
 171d0777a9d4464420b9fe932991e1d5c919d2e6 1006972 openssh-client_9.2p1-2+deb12u10_ppc64el.deb
 a9a56bf2383033baf89162fb1ad73c8c764cc452 966004 openssh-server-dbgsym_9.2p1-2+deb12u10_ppc64el.deb
 1cfe875d5fb92364b043422171b05b431661968f 368924 openssh-server-udeb_9.2p1-2+deb12u10_ppc64el.udeb
 039e0bfaabc4662c2f69a0b7e7c4d9b295f5c019 466208 openssh-server_9.2p1-2+deb12u10_ppc64el.deb
 5a2cbd3e633bbc2d710cb70e7a8eb607e3526d8a 170500 openssh-sftp-server-dbgsym_9.2p1-2+deb12u10_ppc64el.deb
 4068cb480f416693bd54e6e234e95050f42ce21c 70256 openssh-sftp-server_9.2p1-2+deb12u10_ppc64el.deb
 8ccf220d289f96a36e9470f05a4d0bb305e40587 2900952 openssh-tests-dbgsym_9.2p1-2+deb12u10_ppc64el.deb
 c13a7b5cfe86086ea1901b96a366b45f88792104 1058216 openssh-tests_9.2p1-2+deb12u10_ppc64el.deb
 ce34a1c924e2c78ef4797131b0837f0d087e7340 18885 openssh_9.2p1-2+deb12u10_ppc64el-buildd.buildinfo
 5faa0519737c3d39b051863e3b107d961c0946e1 17304 ssh-askpass-gnome-dbgsym_9.2p1-2+deb12u10_ppc64el.deb
 42734001c396b5b28143b2354d1a52893d52ef95 189396 ssh-askpass-gnome_9.2p1-2+deb12u10_ppc64el.deb
Checksums-Sha256:
 82b3c23120cd710a0321020cc467ad35819fc46ef259a2fc28b36d812bea47ed 3670492 openssh-client-dbgsym_9.2p1-2+deb12u10_ppc64el.deb
 6fab3e2538ce5b78d7092ee140e5d99bd9cdf45d6a4a41b45f6b6574035ad5ca 349476 openssh-client-udeb_9.2p1-2+deb12u10_ppc64el.udeb
 7131ecfefab4bbd9f5104ca5cf1d274874901be2cdc09911f21d01eb20654ed2 1006972 openssh-client_9.2p1-2+deb12u10_ppc64el.deb
 c55a764ffa269daf5f043fd21578b7c164b11582424eb8a155aa64d4155aee80 966004 openssh-server-dbgsym_9.2p1-2+deb12u10_ppc64el.deb
 48674ddfb11e20a95402001d6ee5aedc6becb9dc1a17673e2a6366af064826e3 368924 openssh-server-udeb_9.2p1-2+deb12u10_ppc64el.udeb
 c192fa435246520fcef37ff3e5e0193729df98f461771c0b8218870a9a0d45f1 466208 openssh-server_9.2p1-2+deb12u10_ppc64el.deb
 0d2d45a340b8705e3f1f2922fda54e02a4fe726a060fcd79e50a71de0a1fd33b 170500 openssh-sftp-server-dbgsym_9.2p1-2+deb12u10_ppc64el.deb
 2f06b03a432dfc554d18d1073fe0381b22360295af94c1b79e962eea26c0b2ca 70256 openssh-sftp-server_9.2p1-2+deb12u10_ppc64el.deb
 f9ee14f7b769987d23e26b1ca9b90aa76095a6488697529a714bbff3f7794a7d 2900952 openssh-tests-dbgsym_9.2p1-2+deb12u10_ppc64el.deb
 5e2d33dd3285e622d22685f17261025453369ab6a1d67ecd3ef200f64aa7c22d 1058216 openssh-tests_9.2p1-2+deb12u10_ppc64el.deb
 dc269cb918cdd6ccabd83ad08247459b9670cf0ea5c951c780b64a5e30c9fec7 18885 openssh_9.2p1-2+deb12u10_ppc64el-buildd.buildinfo
 2a43afbad765d6db93bd4b48b0f6465d55e5718c3f816e4014c67dc7efcfc03d 17304 ssh-askpass-gnome-dbgsym_9.2p1-2+deb12u10_ppc64el.deb
 deba60b32ad2ec8ca531c341cc2f79d092dc491fc381344a2d6387b2d03ba3c4 189396 ssh-askpass-gnome_9.2p1-2+deb12u10_ppc64el.deb
Files:
 11444ce29791f8c85fe55359d5cb7142 3670492 debug optional openssh-client-dbgsym_9.2p1-2+deb12u10_ppc64el.deb
 f90b317246508436211f0fcce240cdfa 349476 debian-installer optional openssh-client-udeb_9.2p1-2+deb12u10_ppc64el.udeb
 0109d55c83c25b91142bbd173bc3b179 1006972 net standard openssh-client_9.2p1-2+deb12u10_ppc64el.deb
 c47d610709ae1e54bfcf5684fdafc754 966004 debug optional openssh-server-dbgsym_9.2p1-2+deb12u10_ppc64el.deb
 a7e456ec4c30398e7b542368ae78b1fe 368924 debian-installer optional openssh-server-udeb_9.2p1-2+deb12u10_ppc64el.udeb
 fc2a3f949b3c33efd8405a23e6b8a006 466208 net optional openssh-server_9.2p1-2+deb12u10_ppc64el.deb
 96653f400de16a60430bcd8c8ee15058 170500 debug optional openssh-sftp-server-dbgsym_9.2p1-2+deb12u10_ppc64el.deb
 dc420d4f77594eb91e962e6c9e9516f5 70256 net optional openssh-sftp-server_9.2p1-2+deb12u10_ppc64el.deb
 db5136bb9698be01caf8002165047e19 2900952 debug optional openssh-tests-dbgsym_9.2p1-2+deb12u10_ppc64el.deb
 cd0f8313083b91f3755d73f9cf664ee0 1058216 net optional openssh-tests_9.2p1-2+deb12u10_ppc64el.deb
 f33608680772ea32f2de7941d7f3329f 18885 net standard openssh_9.2p1-2+deb12u10_ppc64el-buildd.buildinfo
 4d9dbcdfd425648fb8b09bc1cf58eb2d 17304 debug optional ssh-askpass-gnome-dbgsym_9.2p1-2+deb12u10_ppc64el.deb
 933a6ac065793af0d139f785e5efd6cb 189396 gnome optional ssh-askpass-gnome_9.2p1-2+deb12u10_ppc64el.deb

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEE9ibmwdV9gdKNbK7oV8ucRsMTpuMFAmn6PWQACgkQV8ucRsMT
puPgrxAAj4iVggP2pxE5ixBfl6fR6nTy2R8jPYe8TIz5496UVA0RmqLa6SxRQ0L4
T6+/eXDJ7weDwSydi7Aqe5I5v2A6HPg7InffIbsYbmJ/9TB7KQA4K7U514focAyG
EE+WeQIfcBVoFNPvOR8ddf+uOxUAKc0FYvSxR0mLRnWBTYIbc3jgPv6k4IsczQk8
eFVyiW5tfSbAzOllJe9AxdJe7p96LWWLXjt8SBeC8zl5F7NnafGHX3xwq2QuUB6q
Z3RArRwLKbdHXnlgAwIW9k8CPntVZeqqU/gCT2Q2/TimZhnFR7DC4TBzMbq9o91W
D9gZWJGt9F4nQHmLuAelvUWRgj6vG7DtSoOuWg46mMEpdhHM1ZmJRoil+xgrRtiZ
9n4nDVqpF2oBZcGWPRGEGiLpWWeQWMGC3LIEEIdT5UGNlH5NU/LjlNVTXH66ytUW
3DlXQjDa+QU/KDYpjfTkgX6SQnx+AidhdrDx48KLx7Y71P+zrMQJJ9WpV6EgIvQQ
zVzTuVXxITVWuwwC7eFKNlNMNH51auzHvIhl868fHe/XG1KV15dQ3ot+wo/3sxjE
XR1wOfbSvaUP0iIPshz4MovaPFhdKpfCIErBrm0M9N0rL93Z8HcEWkphUZZsMNs9
Q+SZ9IAjb0E4S2otyQtPpT9wdU0UHAAzg7j/4YeGOkyjy/gUGEk=
=dvqH
-----END PGP SIGNATURE-----