Your message dated Tue, 05 May 2026 18:32:06 +0000
with message-id <[email protected]>
and subject line Bug#1132573: fixed in openssh 1:10.0p1-7+deb13u3
has caused the Debian Bug report #1132573,
regarding openssh: CVE-2026-35386
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1132573: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1132573
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: openssh
Version: 1:10.2p1-6
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for openssh.
CVE-2026-35386[0]:
| In OpenSSH before 10.3, command execution can occur via shell
| metacharacters in a username within a command line. This requires a
| scenario where the username on the command line is untrusted, and
| also requires a non-default configurations of % in ssh_config.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2026-35386
https://www.cve.org/CVERecord?id=CVE-2026-35386
[1] https://www.openssh.org/releasenotes.html#10.3p1
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: openssh
Source-Version: 1:10.0p1-7+deb13u3
Done: Colin Watson <[email protected]>
We believe that the bug you reported is fixed in the latest version of
openssh, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Colin Watson <[email protected]> (supplier of updated openssh package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Tue, 05 May 2026 11:25:39 +0100
Source: openssh
Architecture: source
Version: 1:10.0p1-7+deb13u3
Distribution: trixie
Urgency: medium
Maintainer: Debian OpenSSH Maintainers <[email protected]>
Changed-By: Colin Watson <[email protected]>
Closes: 1130595 1132572 1132573 1132574 1132575 1132576
Changes:
openssh (1:10.0p1-7+deb13u3) trixie; urgency=medium
.
* Backport minor security fixes from 10.3p1:
- ssh(1): the -J and equivalent -oProxyJump="..." options now validate
user and host names for ProxyJump/-J options passed via the
command-line (no such validation is performed for this option in
configuration files). This prevents shell injection in situations
where these were directly exposed to adversarial input, which would
have been a terrible idea to begin with.
- CVE-2026-35386: ssh(1): validation of shell metacharacters in user
names supplied on the command-line was performed too late to prevent
some situations where they could be expanded from %-tokens in
ssh_config. For certain configurations, such as those that use a "%u"
token in a "Match exec" block, an attacker who can control the user
name passed to ssh(1) could potentially execute arbitrary shell
commands. Reported by Florian Kohnhäuser (closes: #1132573).
We continue to recommend against directly exposing ssh(1) and other
tools' command-lines to untrusted input. Mitigations such as this can
not be absolute given the variety of shells and user configurations in
use.
- CVE-2026-35414: sshd(8): when matching an authorized_keys
principals="" option against a list of principals in a certificate, an
incorrect algorithm was used that could allow inappropriate matching
in cases where a principal name in the certificate contains a comma
character. Exploitation of the condition requires an authorized_keys
principals="" option that lists more than one principal *and* a CA
that will issue a certificate that encodes more than one of these
principal names separated by a comma (typical CAs strongly constrain
which principal names they will place in a certificate). This
condition only applies to user- trusted CA keys in authorized_keys,
the main certificate authentication path
(TrustedUserCAKeys/AuthorizedPrincipalsFile) is not affected. Reported
by Vladimir Tokarev (closes: #1132576).
- CVE-2026-35385: scp(1): when downloading files as root in legacy (-O)
mode and without the -p (preserve modes) flag set, scp did not clear
setuid/setgid bits from downloaded files as one might typically
expect. This bug dates back to the original Berkeley rcp program.
Reported by Christos Papakonstantinou of Cantina and Spearbit (closes:
#1132572).
- CVE-2026-35387: sshd(8): fix incomplete application of
PubkeyAcceptedAlgorithms and HostbasedAcceptedAlgorithms with regard
to ECDSA keys. Previously if one of these directives contains any
ECDSA algorithm name (say "ecdsa-sha2-nistp384"), then any other ECDSA
algorithm would be accepted in its place regardless of whether it was
listed or not. Reported by Christos Papakonstantinou of Cantina and
Spearbit (closes: #1132574).
- CVE-2026-35388: ssh(1): connection multiplexing confirmation
(requested using "ControlMaster ask/autoask") was not being tested for
proxy mode multiplexing sessions (i.e. "ssh -O proxy ..."). Reported
by Michalis Vasileiadis (closes: #1132575).
* Cherry-pick IPQoS handling updates from upstream:
- Set default IPQoS for interactive sessions to Expedited Forwarding
(EF).
- Deprecate support for IPv4 type-of-service (TOS) IPQoS keywords.
- Make ssh(1) and sshd(8) set IP QoS (aka IP_TOS, IPV6_TCLASS)
continually at runtime based on what sessions/channels are open.
- Correctly set extended type for client-side channels. Fixes
interactive vs bulk IPQoS for client->server traffic.
.
openssh (1:10.0p1-7+deb13u2) trixie-security; urgency=medium
.
* CVE-2026-3497: Fix incorrect GSS-API error handling; Replace incorrect
use of sshpkt_disconnect() with ssh_packet_disconnect(), and properly
initialize some variables (closes: #1130595; thanks, Marc Deslauriers).
Checksums-Sha1:
588570b8d24a58d165326e779ccfe04e356573e7 3609 openssh_10.0p1-7+deb13u3.dsc
b4f91988a8c898e3339683fd5c622c7932cc5902 215064
openssh_10.0p1-7+deb13u3.debian.tar.xz
Checksums-Sha256:
d4370c9fc63b3f4ea445fdc7288e372e089c1740f0287170387000e264fa3b38 3609
openssh_10.0p1-7+deb13u3.dsc
b80912092af7d7ecbc8f0c784a68d86d5e54b4d6b69038ab7faa891f774db24c 215064
openssh_10.0p1-7+deb13u3.debian.tar.xz
Files:
0b8ba8ff968b873866aa509cbdc98f3c 3609 net standard openssh_10.0p1-7+deb13u3.dsc
26afa767738b86933b2dfff05155b438 215064 net standard
openssh_10.0p1-7+deb13u3.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEErApP8SYRtvzPAcEROTWH2X2GUAsFAmn5xdoACgkQOTWH2X2G
UAvh6g/9GjIj4m/UXC4f3ylY8+5c6U+iyptFtkyW7ijHOx3uB8hjeYNSeZEWO02e
Qo9hTkWD6SwTwy4Q3jyUqsJcz1XAm5J91tmXo2Nocwt3OSSDD/V7+yNI9rp+tzur
9Exe2K0alid5m8awLLapRM+zRMZuykDbhqeQ3/mus67Pw7XoMXoyZSHvJnggqWdp
mNYIJaqhzgtjXUzGzMPhpV1iRFtTYEaSpqRMKyrnFM6BgKH9ZLVdE/C4NgP1kgxC
rFNgBqZHkjIkmya4JjdY2fUoNIJFIWiTb6NrRfG6sIN7ouyoKf3ukuIp22cUHG/h
SstkPe9mRiNolp81TD7QPCQxaZ+9qEyrFR9fr90NHjI7pqhSXIru9kQWU/o88Nsh
JN07qCaoyTxK+fnJSZiRG2eIkIg1T9pxxU0pMR+xrKTGgpgXF9RaCEfhPStKeuTx
VISqOBXailVAZ6kCOCsWfFuCQ5cCSUorQpatC8Lc1omXYouDz+N5b5uPzf1/0x65
7k8L7dFekkAZqIWg//nzZUiYs0Ic79BeHb6A8F3GLRyUnjzl4B9oz2GgAZRnzZgy
IrHmU1FSYZ89w/EiMtIKwqd3qsjgFBbV5ilIB1IdTV/CTt1JPmJ1407prz+QvRBg
RVDo+CWrmPGQ+H8WazltPyQVZv0uMe4dEZpAvUt6ZKjCU5NHpD0=
=CGtA
-----END PGP SIGNATURE-----
pgpUXnrSbtuhD.pgp
Description: PGP signature
--- End Message ---
