Your message dated Mon, 06 Jul 2026 19:19:27 +0000
with message-id <[email protected]>
and subject line Bug#1141420: fixed in openssh 1:10.4p1-1
has caused the Debian Bug report #1141420,
regarding openssh-client: /usr/share/doc/openssh-client is an absolute symlink
after upgrade
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1141420: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1141420
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: openssh-client
Version: 1:10.3p1-8
Upgrading from version 1:10.3p1-5 turns /usr/share/doc/openssh-client
into a symlink, but it is an absolute symlink rather than a relative one
as recommended by policy and shipped by the package:
,----
| # apt install openssh-client
| Upgrading:
| openssh-client
|
| Installing dependencies:
| openssh-common
|
| [...]
| Preparing to unpack .../openssh-client_1%3a10.3p1-8_amd64.deb ...
| Unpacking openssh-client (1:10.3p1-8) over (1:10.3p1-5) ...
| Selecting previously unselected package openssh-common.
| Preparing to unpack .../openssh-common_1%3a10.3p1-8_amd64.deb ...
| Unpacking openssh-common (1:10.3p1-8) ...
| Setting up openssh-common (1:10.3p1-8) ...
| Setting up openssh-client (1:10.3p1-8) ...
| # ls -ld /usr/share/doc/openssh-client
| lrwxrwxrwx 1 root root 29 Jul 4 09:25 /usr/share/doc/openssh-client ->
/usr/share/doc/openssh-common
`----
I think in debian/*.maintscript a relative path for the symlink target
ought to be used, but I have not tested that. Suggested patch:
sed -i 's#/usr/share/doc/openssh-common#openssh-common#' debian/*.maintscript
-- System Information:
Debian Release: forky/sid
APT prefers unstable
APT policy: (500, 'unstable'), (101, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
--- End Message ---
--- Begin Message ---
Source: openssh
Source-Version: 1:10.4p1-1
Done: Colin Watson <[email protected]>
We believe that the bug you reported is fixed in the latest version of
openssh, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Colin Watson <[email protected]> (supplier of updated openssh package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Mon, 06 Jul 2026 19:11:28 +0100
Source: openssh
Architecture: source
Version: 1:10.4p1-1
Distribution: unstable
Urgency: medium
Maintainer: Debian OpenSSH Maintainers <[email protected]>
Changed-By: Colin Watson <[email protected]>
Closes: 1134814 1141420
Changes:
openssh (1:10.4p1-1) unstable; urgency=medium
.
[ Sven Joachim ]
* Make doc symlinks relative on upgrade from 1:10.3p1-5 (closes:
#1141420).
.
[ Colin Watson ]
* New upstream release:
- SECURITY: sftp(1): when downloading files on the command-line using
"sftp host:/path .", a malicious server could cause the file to be
downloaded to an unexpected location. This issue was identified by the
Swival Security Scanner.
- SECURITY: scp(1): when copying files between two remote destinations,
do not allow a malicious server to write files to the parent directory
of the intended target directory. This issue was identified by the
Swival Security Scanner.
- SECURITY: sshd(8): when using the "internal-sftp" SFTP server
implementation (this is not the default), long command lines were
previously truncated silently after the 9th argument. If a
security-relevant option was in the 10th or later position, it would
be discarded. Reported by Steve Caffrey.
- SECURITY: sshd(8): add a documentation note to mention that the
GSSAPIStrictAcceptorCheck option is ineffective when the server is
joined to a Windows Active Directory. Reported by Yarin Aharoni of
Safebreach.
- SECURITY: sshd(8): DisableForwarding=yes didn't override
PermitTunnel=yes as it was documented to do. Note that PermitTunnel is
not enabled by default. Reported independently by Huzaifa Sidhpurwala
of Redhat and Marko Jevtic.
- SECURITY: sshd(8): avoid a potential pre-authentication denial of
service when GSSAPIAuthentication was enabled (this feature is off by
default). This was not mitigated by MaxAuthTries, but would be
penalised by PerSourcePenalties. This was reported by Manfred Kaiser
of the milCERT AT (Austrian Ministry of Defence).
- SECURITY: sshd(8): fix a number of cases where the minimum
authentication delay was not being enforced. Reported by the Orange
Cyberdefense Vulnerability Team.
- SECURITY: ssh(1): fix a possible client-side use-after-free if the
server changes its host key during a key reexchange. This was reported
by Zhenpeng (Leo) Lin of Depthfirst.
- All: add experimental support for a composite post-quantum signature
scheme that combines ML-DSA 44 and Ed25519 as specified in
draft-miller-sshm-mldsa44-ed25519-composite-sigs. This scheme is not
enabled by default. To use it, you'll need to add it to
HostKeyAlgorithms, PubkeyAcceptedAlgorithms, etc. Keys may be
generated using "ssh-keygen -t mldsa44-ed25519".
- ssh(1), sshd(8): replace the wildcard pattern matcher with an
implementation based on an NFA. This avoids exponential worst-case
behaviour for the old implementation.
- ssh-agent(1): fix incorrect reply to "query" SSH_AGENTC_EXTENSION
requests.
- sshd(8): avoid sending observably different messages for valid vs
invalid users in GSSAPIAuthentication (disabled by default).
- ssh(1), sshd(8): fix several bugs that incorrectly classified bulk
traffic as interactive.
- ssh-keygen(1), ssh-add(1): skip unsupported key types when downloading
resident keys from a FIDO token. Previously, downloads would abort
when one was encountered.
- ssh(1): fix a potential use-after-free on an error path if
cipher_init() fails.
- sshd(8): perform stricter encoding and validation of transport state
passed between sshd privilege separation subprocesses. This somewhat
further hardens the server against attacks on sshd-auth or
sshd-session subprocesses.
- ssh-agent(1): avoid possible runtime denial of service by enforcing
some limits on the length of usernames in key use constraints.
- sftp(1): fix two separate one-byte out-of-bounds reads, in
SSH2_FXP_REALPATH and batch command processing.
- sftp-server(8): disallow use of the copy-data extension to read and
write to the same inode simultaneously.
- ssh(1), sshd(8): avoid strlen(NULL) crash if an X11 channel was
created before the x11-req SSH_MSG_CHANNEL_REQUEST was sent.
- sftp(1), scp(1): avoid a situation where sftp_download() could get
stuck in a loop if a broken server repeatedly returned zero length
while reading a file.
- ssh(1): avoid leaking DNS0x20 case-randomised names into names
canonicalised using CanonicalizePermittedCNAMEs.
- sftp-server(8): avoid truncation of pathnames passed to lstat() during
SSH_FXP_REALPATH handling on systems where PATH_MAX is not the actual
max.
- ssh(1), sshd(8): correct arming of poll(2) event masks for some
socket-type channels.
- sshd(8): major refactor of sshd_config parsing and management code, to
allow for more exact serialisation/deserialisation across privilege
separation boundaries.
- ssh-add(1): open connection to the agent only after getopt()
processing has completed, to give options like "-v" a chance to
display debug information about this operation.
- sshd(8): differentiate between execution failures and a subsystem that
was not found when logging why a subsystem failed to start.
- All: use safer idioms for timegm(3) and mktime(3) error detection.
- ssh(1), sshd(8): avoid accepting invalid cipher or MAC lists in config
files or command-line arguments. This could cause runtime failures
later.
- ssh(1): fix NULL deref crash during pubkey auth when using a PEM style
private key with no corresponding .pub key adjacent to it (closes:
#1134814).
- sshd(8): don't print an error message when trying to load a host
private key when PKCS#11 keys are in use, as these don't need the
private half on the filesystem.
- All: don't use deprecated ERR_load_crypto_strings().
- ssh(1): properly report errors during configuration default setting.
- ssh(1): use correct directive name (Match instead of Host) in error
message.
- sftp(1): fix "ls -ln" which was not correctly showing numeric UID/GIDs
but rather user and group names.
- sshd(8): avoid possible NULL dereference if an allocation fails during
config parsing.
- All: fix ineffective guards against loading overly large public keys
in several places.
- sftp(1): ensure file descriptors used by sftp to communicate to its
ssh(1) subprocess don't leak into executed subprocesses (e.g. via
"!").
- Sync fmt_scaled.c with OpenBSD upstream, picking up an exactness fix
for large exponents.
- sshd(8): remove duplicate sandbox entry for clock_gettime64.
- Sync getrrsetbyname.c with OpenBSD upstream, picking up robustness
fixes.
- Fix a number of memory leaks on error paths in the portability code.
- Revise the README.privsep documentation to reflect sshd's recent
switch to a multi-binary model.
Checksums-Sha1:
df9f47c0f27ac289f28a014382b376c751b36030 3651 openssh_10.4p1-1.dsc
ae8650a71cc52dbbd049519cee276ae6d65c2c4d 2321796 openssh_10.4p1.orig.tar.gz
024bbb98d37dc35c31a49144770c6e38bfe53829 833 openssh_10.4p1.orig.tar.gz.asc
eba70bbacbe02995f7eeec31a1dd96a7cd7a8058 208228 openssh_10.4p1-1.debian.tar.xz
Checksums-Sha256:
878de8e50995ae6a2eaad52c829036729c48a57a104d9ba32d558fb82096ee5e 3651
openssh_10.4p1-1.dsc
ef6026dd2aea8d56059638d5d3262902c892ceba9f88395835e0d06d3fb63238 2321796
openssh_10.4p1.orig.tar.gz
9206329419c45245913ae42fd290e2ed5b1669df97d9cf0d3e28c06b63035e51 833
openssh_10.4p1.orig.tar.gz.asc
5c5d2f7ee53bef6f96355eab24062b82f226ead501dc3f8630f75202f662ca1f 208228
openssh_10.4p1-1.debian.tar.xz
Files:
e89a2b713609f72642c98c6a454c45e1 3651 net standard openssh_10.4p1-1.dsc
c5fb91ded926b38e8956074cac2cd44f 2321796 net standard
openssh_10.4p1.orig.tar.gz
105ff131214dc93a4892488bc80b444a 833 net standard
openssh_10.4p1.orig.tar.gz.asc
c9d6a49c9f1d34a9b0358f3860a9f1b2 208228 net standard
openssh_10.4p1-1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEErApP8SYRtvzPAcEROTWH2X2GUAsFAmpL+hEACgkQOTWH2X2G
UAtBwBAAhHqb1L4vbgAc1c0LGWm+Ebx6zyCgxVhwa6kHyy/+L2NtUmPIpwSlmIdw
TIbpnKfqVXgvvykMHqXQQOU8fWWt4Q715m4UGv6F0NgDNr7RKicND6DfIlDXdzCp
dwNZFLkqLMIrn8+DzYoNcMN2nN1q62jQ+cVc4q13UvK4uUrxQSGrdAb6dr3zaoMR
/Exj6aPD++Tf5JoOt+BDnqRln/hjhsqnN3NqJ1000PaRi4JzP0YmZOz1/40Ja0dm
yQ6Xo6bg+hasGcMa4GYXdFXFqI6mVRGItZ1CZgCCG9kfvDtXnSzgCC3no7BgW0bU
Iyt5EVlauSiEEePOnn+I9FK+PDmfL6n4CmV2/DM2btbpjFO9g3FjUGRADDA5H6Fo
wE5cEmISiRKO28qjAFyNDpSDqzN1GDE9RKMCf/l5lZLetMl3/8rfkwDRD1L/A5qb
9tz1NyycIH4Qlpv7++WUXzFxLJyQptrGD6Fj6uPdC6mmCAeeo6yy6DwAm5NxtntG
nD2CH8zzHxJ0oLY/6sM8cgEvNfuok6tCNdHeyLUpI8DZXi3tzJToH92yd7uzLt3m
pMM/BY/t05GZ3HabhxOCJi7H/OOk1MwNaDtlJnG1AOkwuYXXUDmwbPGYvXiDjsC5
uJ9SE+LmTcrZ8a/ms24nuf38GPta4mLTDY5OHBUNk6Ixj707nRo=
=LnvT
-----END PGP SIGNATURE-----
pgpCQGLYhsnNC.pgp
Description: PGP signature
--- End Message ---