Bug#1132573: marked as done (openssh: CVE-2026-35386)

[Debian Bug Tracking System]

Your message dated Wed, 06 May 2026 18:32:51 +0000
with message-id <e1wkh3d-00000009e6h-2...@fasolo.debian.org>
and subject line Bug#1132573: fixed in openssh 1:10.0p1-7+deb13u4
has caused the Debian Bug report #1132573,
regarding openssh: CVE-2026-35386
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1132573: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1132573
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Source: openssh
Version: 1:10.2p1-6
Severity: important
Tags: security upstream
X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>

Hi,

The following vulnerability was published for openssh.

CVE-2026-35386[0]:
| In OpenSSH before 10.3, command execution can occur via shell
| metacharacters in a username within a command line. This requires a
| scenario where the username on the command line is untrusted, and
| also requires a non-default configurations of % in ssh_config.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2026-35386
    https://www.cve.org/CVERecord?id=CVE-2026-35386
[1] https://www.openssh.org/releasenotes.html#10.3p1

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

--- End Message ---

--- Begin Message ---

Source: openssh
Source-Version: 1:10.0p1-7+deb13u4
Done: Colin Watson <cjwat...@debian.org>

We believe that the bug you reported is fixed in the latest version of
openssh, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1132...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Colin Watson <cjwat...@debian.org> (supplier of updated openssh package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Wed, 06 May 2026 13:33:32 +0100
Source: openssh
Architecture: source
Version: 1:10.0p1-7+deb13u4
Distribution: trixie
Urgency: medium
Maintainer: Debian OpenSSH Maintainers <debian-...@lists.debian.org>
Changed-By: Colin Watson <cjwat...@debian.org>
Closes: 1130595 1132572 1132573 1132574 1132575 1132576 1135798
Changes:
 openssh (1:10.0p1-7+deb13u4) trixie; urgency=medium
 .
   * Don't reuse c->isatty for signalling that the remote channel has a tty
     attached (closes: #1135798).
 .
 openssh (1:10.0p1-7+deb13u3) trixie; urgency=medium
 .
   * Backport minor security fixes from 10.3p1:
     - ssh(1): the -J and equivalent -oProxyJump="..." options now validate
       user and host names for ProxyJump/-J options passed via the
       command-line (no such validation is performed for this option in
       configuration files). This prevents shell injection in situations
       where these were directly exposed to adversarial input, which would
       have been a terrible idea to begin with.
     - CVE-2026-35386: ssh(1): validation of shell metacharacters in user
       names supplied on the command-line was performed too late to prevent
       some situations where they could be expanded from %-tokens in
       ssh_config. For certain configurations, such as those that use a "%u"
       token in a "Match exec" block, an attacker who can control the user
       name passed to ssh(1) could potentially execute arbitrary shell
       commands. Reported by Florian Kohnhäuser (closes: #1132573).
       We continue to recommend against directly exposing ssh(1) and other
       tools' command-lines to untrusted input. Mitigations such as this can
       not be absolute given the variety of shells and user configurations in
       use.
     - CVE-2026-35414: sshd(8): when matching an authorized_keys
       principals="" option against a list of principals in a certificate, an
       incorrect algorithm was used that could allow inappropriate matching
       in cases where a principal name in the certificate contains a comma
       character. Exploitation of the condition requires an authorized_keys
       principals="" option that lists more than one principal *and* a CA
       that will issue a certificate that encodes more than one of these
       principal names separated by a comma (typical CAs strongly constrain
       which principal names they will place in a certificate). This
       condition only applies to user- trusted CA keys in authorized_keys,
       the main certificate authentication path
       (TrustedUserCAKeys/AuthorizedPrincipalsFile) is not affected. Reported
       by Vladimir Tokarev (closes: #1132576).
     - CVE-2026-35385: scp(1): when downloading files as root in legacy (-O)
       mode and without the -p (preserve modes) flag set, scp did not clear
       setuid/setgid bits from downloaded files as one might typically
       expect. This bug dates back to the original Berkeley rcp program.
       Reported by Christos Papakonstantinou of Cantina and Spearbit (closes:
       #1132572).
     - CVE-2026-35387: sshd(8): fix incomplete application of
       PubkeyAcceptedAlgorithms and HostbasedAcceptedAlgorithms with regard
       to ECDSA keys. Previously if one of these directives contains any
       ECDSA algorithm name (say "ecdsa-sha2-nistp384"), then any other ECDSA
       algorithm would be accepted in its place regardless of whether it was
       listed or not.  Reported by Christos Papakonstantinou of Cantina and
       Spearbit (closes: #1132574).
     - CVE-2026-35388: ssh(1): connection multiplexing confirmation
       (requested using "ControlMaster ask/autoask") was not being tested for
       proxy mode multiplexing sessions (i.e. "ssh -O proxy ..."). Reported
       by Michalis Vasileiadis (closes: #1132575).
   * Cherry-pick IPQoS handling updates from upstream:
     - Set default IPQoS for interactive sessions to Expedited Forwarding
       (EF).
     - Deprecate support for IPv4 type-of-service (TOS) IPQoS keywords.
     - Make ssh(1) and sshd(8) set IP QoS (aka IP_TOS, IPV6_TCLASS)
       continually at runtime based on what sessions/channels are open.
     - Correctly set extended type for client-side channels.  Fixes
       interactive vs bulk IPQoS for client->server traffic.
 .
 openssh (1:10.0p1-7+deb13u2) trixie-security; urgency=medium
 .
   * CVE-2026-3497: Fix incorrect GSS-API error handling; Replace incorrect
     use of sshpkt_disconnect() with ssh_packet_disconnect(), and properly
     initialize some variables (closes: #1130595; thanks, Marc Deslauriers).
Checksums-Sha1:
 7651f1e593d7286556598700aa1bbc38273616bf 3763 openssh_10.0p1-7+deb13u4.dsc
 5322cbd663e2d9e72726ec01a88ebd49c767a517 215600 
openssh_10.0p1-7+deb13u4.debian.tar.xz
 d2fd5a034e631437412375c4e17168279c4b5489 53237612 
openssh_10.0p1-7+deb13u4.git.tar.xz
 76f6ec4023fbdb12a1579021648e6423a98a6bc6 17386 
openssh_10.0p1-7+deb13u4_source.buildinfo
Checksums-Sha256:
 73fed3fd77d60925ed342bcb0afd3c037e4ea0d39333107bf617aa90f859910f 3763 
openssh_10.0p1-7+deb13u4.dsc
 102e1065030c6002acabd7f896eeba1462bf54b4d7393bac34b0308312868ec6 215600 
openssh_10.0p1-7+deb13u4.debian.tar.xz
 68618631cc634059a9b061321af098fa29986cf67b1423a04f1b68b2cfa30efd 53237612 
openssh_10.0p1-7+deb13u4.git.tar.xz
 aa0756d97dae64a0e31a2043e5cd0928c9ee22c8beafd9403d522d56063ca939 17386 
openssh_10.0p1-7+deb13u4_source.buildinfo
Files:
 1d2c0582504849dd95fa0e3f1bcf1986 3763 net standard openssh_10.0p1-7+deb13u4.dsc
 cd617a64903b9e5e723c21983348b5e0 215600 net standard 
openssh_10.0p1-7+deb13u4.debian.tar.xz
 69cf6f3da54f68154078205636179525 53237612 net standard 
openssh_10.0p1-7+deb13u4.git.tar.xz
 d0e1c20b5c1efc602524612a18a720a3 17386 net standard 
openssh_10.0p1-7+deb13u4_source.buildinfo
Git-Tag-Info: tag=1d2a4689aeb611f9744c168417a8f213d84a2348 
fp=ac0a4ff12611b6fccf01c111393587d97d86500b
Git-Tag-Tagger: Colin Watson <cjwat...@debian.org>

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEN02M5NuW6cvUwJcqYG0ITkaDwHkFAmn7NjkACgkQYG0ITkaD
wHkzBBAAtWjjdK5WLBVsDDlpldOgN2V0/nmlnkFGIGL3ajUhQ6ChVTGxxnkpUrib
9o1U42KQO0avc0lovzjTZATfWZvC45wTs0+BRFz1EwJe1QFkVqTecJSegDBPA/um
EE6JiV9arLWTkEoOOrtf+i16m2f1kRNStOenP9D/f/08Qnu3nnudWmQAIcTQdU/e
3jB+ulrHMhXI0I+L8h9oPCAm3Bb/cqsJ7s67tysApFymE0FHu8DffA6WlzTIfBBA
vZcGT10MpLLztSpgWIIh0EXWM/BNi4KYOXFEjXFgtbXhb7JfOMedh0/oF1zIx1NS
o37gqgMszP+tmbF4HQhWokl17W0+0Jh0jvDMUgxltzc0kprvLiPQ6oE2DWiw+pcH
3GCdqhsj+t/xAOzZquyN1ilQFuwLD5PftSSe2CDbzw+viyKSP4OyJFEn8I4jeCbH
oetg90ghxOiC4/Lvt9wiXKMWF0aMqNpCpdQOdSrrS+W3lQuI7XGHtT1h0LD8GRrS
OhC77AhpFQQsvLirUw39/XBDYesEbUnp4il89rvSx2oO5+bldf6a11CoSnyKKeSd
hpwlRXMn4nDcdW/HpF/0cGeGyVezbgdGUlNjvs57bSF16iFQ7lVRb5SEcnUzHExE
RfDnqA4DZx/4Dr574BOlEN3SomFTZq4EmkUNFl0I6+sIE5UjwRk=
=LYOe
-----END PGP SIGNATURE-----

pgpoe_SVhkmr0.pgp
Description: PGP signature

--- End Message ---