[Git][security-tracker-team/security-tracker][master] Reserve DLA-4584-1 for openssh

Fri, 15 May 2026 08:23:36 -0700 


Santiago R.R. pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
99f46f41 by Santiago Ruano Rincón at 2026-05-15T12:23:12-03:00
Reserve DLA-4584-1 for openssh

- - - - -


3 changed files:

- data/CVE/list
- data/DLA/list
- data/dla-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -26057,31 +26057,26 @@ CVE-2026-35414 (OpenSSH before 10.3 mishandles the 
authorized_keys principals op
        - openssh 1:10.3p1-1 (bug #1132576)
        [trixie] - openssh <no-dsa> (Minor issue)
        [bookworm] - openssh <no-dsa> (Minor issue)
-       [bullseye] - openssh <no-dsa> (Minor issue)
        NOTE: https://www.openssh.org/releasenotes.html#10.3p1
 CVE-2026-35388 (OpenSSH before 10.3 omits connection multiplexing confirmation 
for pro ...)
        - openssh 1:10.3p1-1 (bug #1132575)
        [trixie] - openssh <no-dsa> (Minor issue)
        [bookworm] - openssh <no-dsa> (Minor issue)
-       [bullseye] - openssh <no-dsa> (Minor issue)
        NOTE: https://www.openssh.org/releasenotes.html#10.3p1
 CVE-2026-35387 (OpenSSH before 10.3 can use unintended ECDSA algorithms. 
Listing of an ...)
        - openssh 1:10.3p1-1 (bug #1132574)
        [trixie] - openssh <no-dsa> (Minor issue)
        [bookworm] - openssh <no-dsa> (Minor issue)
-       [bullseye] - openssh <no-dsa> (Minor issue)
        NOTE: https://www.openssh.org/releasenotes.html#10.3p1
 CVE-2026-35386 (In OpenSSH before 10.3, command execution can occur via shell 
metachar ...)
        - openssh 1:10.3p1-1 (bug #1132573)
        [trixie] - openssh <no-dsa> (Minor issue)
        [bookworm] - openssh <no-dsa> (Minor issue)
-       [bullseye] - openssh <no-dsa> (Minor issue)
        NOTE: https://www.openssh.org/releasenotes.html#10.3p1
 CVE-2026-35385 (In OpenSSH before 10.3, a file downloaded by scp may be 
installed setu ...)
        - openssh 1:10.3p1-1 (bug #1132572)
        [trixie] - openssh <no-dsa> (Minor issue)
        [bookworm] - openssh <no-dsa> (Minor issue)
-       [bullseye] - openssh <no-dsa> (Minor issue)
        NOTE: https://www.openssh.org/releasenotes.html#10.3p1
 CVE-2026-35168 (OpenSTAManager is an open source management software for 
technical ass ...)
        NOT-FOR-US: OpenSTAManager
@@ -99498,14 +99493,12 @@ CVE-2025-61985 (ssh in OpenSSH before 10.1 allows the 
'\0' character in an ssh:/
        - openssh 1:10.1p1-1 (bug #1117530)
        [trixie] - openssh 1:10.0p1-7+deb13u1
        [bookworm] - openssh 1:9.2p1-2+deb12u8
-       [bullseye] - openssh <postponed> (Minor issue; can be fixed in next 
update)
        NOTE: https://www.openwall.com/lists/oss-security/2025/10/06/1
        NOTE: 
https://github.com/openssh/openssh-portable/commit/43b3bff47bb029f2299bacb6a36057981b39fdb0
 (V_10_1_P1)
 CVE-2025-61984 (ssh in OpenSSH before 10.1 allows control characters in 
usernames that ...)
        - openssh 1:10.1p1-1 (bug #1117529)
        [trixie] - openssh 1:10.0p1-7+deb13u1
        [bookworm] - openssh 1:9.2p1-2+deb12u8
-       [bullseye] - openssh <postponed> (Minor issue; can be fixed in next 
update)
        NOTE: https://www.openwall.com/lists/oss-security/2025/10/06/1
        NOTE: 
https://dgl.cx/2025/10/bash-a-newline-ssh-proxycommand-cve-2025-61984
        NOTE: 
https://github.com/openssh/openssh-portable/commit/35d5917652106aede47621bb3f64044604164043
 (V_10_1_P1)


=====================================
data/DLA/list
=====================================
@@ -1,3 +1,6 @@
+[15 May 2026] DLA-4584-1 openssh - security update
+       {CVE-2025-61984 CVE-2025-61985 CVE-2026-35385 CVE-2026-35386 
CVE-2026-35387 CVE-2026-35388 CVE-2026-35414}
+       [bullseye] - openssh 1:8.4p1-5+deb11u7
 [15 May 2026] DLA-4583-1 python3.9 - security update
        {CVE-2025-13462 CVE-2026-0672 CVE-2026-2297 CVE-2026-3644 CVE-2026-4224 
CVE-2026-4519}
        [bullseye] - python3.9 3.9.2-1+deb11u7


=====================================
data/dla-needed.txt
=====================================
@@ -382,10 +382,6 @@ openexr
 openjpeg2
   NOTE: 20260418: Added by Front-Desk (rouca)
 --
-openssh (santiago)
-  NOTE: 20260514: Added by coordinator (santiago)
-  NOTE: 20260514: Maintainer has prepared an update
---
 openssl
   NOTE: 20260411: Added by Front-Desk (utkarsh)
   NOTE: 20260411: Follow DSA-6201-1 (CVE-2026-28387 CVE-2026-28388 
CVE-2026-28389



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/99f46f41f07845a126ee692acc145c726012d651

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/99f46f41f07845a126ee692acc145c726012d651
You're receiving this email because of your account on salsa.debian.org. Manage 
all notifications: https://salsa.debian.org/-/profile/notifications | Help: 
https://salsa.debian.org/help



_______________________________________________
debian-security-tracker-commits mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

Reply via email to