This bug was fixed in the package openssh - 1:10.2p1-2ubuntu3.4
---------------
openssh (1:10.2p1-2ubuntu3.4) resolute-security; urgency=medium
* SECURITY UPDATE: sftp downloaded files location issue
- debian/patches/CVE-2026-59995.patch: upstream: avoid download to server-
controlled path when performing in sftp.c.
- CVE-2026-59995
* SECURITY UPDATE: scp parent directory issue
- debian/patches/CVE-2026-59996.patch: upstream: resist that return ".." via
remote glob during in scp.c.
- CVE-2026-59996
* SECURITY UPDATE: internal-sftp ignores more than 9 commandline args
- debian/patches/CVE-2026-59997.patch: upstream: pass >9 commandline
arguments to the internal-sftp server, in session.c.
- CVE-2026-59997
* SECURITY UPDATE: undocumented GSSAPIStrictAcceptorCheck behaviour
- debian/patches/CVE-2026-59998.patch: upstream: mention a caveat regarding
GSSAPIStrictAcceptorCheck in in sshd_config.5.
- CVE-2026-59998
* SECURITY UPDATE: DisableForwarding=yes not taking proper precedence
- debian/patches/CVE-2026-59999.patch: upstream: DisableForwarding=yes
didn't override PermitTunnel=yes in serverloop.c.
- CVE-2026-59999
* SECURITY UPDATE: DoS via MaxAuthTries mishandling
- debian/patches/CVE-2026-60000-1.patch: upstream: Fix multiple RFC 4462
(GSSAPIAuthentication) compliance in auth2-gss.c.
- debian/patches/CVE-2026-60000-2.patch: upstream: unused variables in
auth2-gss.c.
- CVE-2026-60000
* SECURITY UPDATE: minimum authentication delay not always honoured
- debian/patches/CVE-2026-60001.patch: upstream: Fix cases in GSSAPI and
keyboard-interactive in auth.h, auth2-chall.c, auth2-gss.c, auth2.c.
- CVE-2026-60001
* SECURITY UPDATE: Use-after-free during a key re-exchange
- debian/patches/CVE-2026-60002.patch: upstream: fix ownership and lifetime
of several bits of client in ssh.c, sshconnect.c, sshconnect.h,
sshconnect2.c.
- CVE-2026-60002
-- Marc Deslauriers <[email protected]> Thu, 09 Jul 2026
14:06:35 -0400
** Changed in: openssh (Ubuntu Resolute)
Status: Fix Committed => Fix Released
** CVE added: https://cve.org/CVERecord?id=CVE-2026-59995
** CVE added: https://cve.org/CVERecord?id=CVE-2026-59996
** CVE added: https://cve.org/CVERecord?id=CVE-2026-59997
** CVE added: https://cve.org/CVERecord?id=CVE-2026-59998
** CVE added: https://cve.org/CVERecord?id=CVE-2026-59999
** CVE added: https://cve.org/CVERecord?id=CVE-2026-60000
** CVE added: https://cve.org/CVERecord?id=CVE-2026-60001
** CVE added: https://cve.org/CVERecord?id=CVE-2026-60002
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2151817
Title:
SSSD incompatible with OpenSSH ≥10.1p1 PAM username consistency check
when using short names
To manage notifications about this bug go to:
https://bugs.launchpad.net/sssd/+bug/2151817/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs