Public bug reported:
[Impact]
The 1:10.0p1-5ubuntu5.1 upload[1] contains a fix for CVE-2025-61984,
which changes how % expansion of usernames is handled in ssh:
openssh (1:10.0p1-5ubuntu5.1) questing-security; urgency=medium
* SECURITY UPDATE: GSSAPI Key Exchange issue
- debian/patches/gssapi.patch: replace incorrect use of
sshpkt_disconnect() with ssh_packet_disconnect() and properly
initialize some vars.
- CVE-2026-3497
* SECURITY UPDATE: Untrusted control characters in usernames
- debian/patches/CVE-2025-61984.patch: Improve rules for %-expansion of
username in ssh.c.
- CVE-2025-61984
* SECURITY UPDATE: Code execution in ProxyCommand via NULL character
- debian/patches/CVE-2025-61985.patch: don't allow \0 characters in
url-encoded strings in misc.c.
- CVE-2025-61985
But, the update did not contain the corresponding change to the tests
that reflect the change[2]. As a result, the openssh tests are now
failing on questing, and blocking updates of other packages[3].
[Test Plan]
The autopkgtests for openssh should pass again. In particular, the
percent.sh test from the regress suite.
[Where problems could occur]
This patch only changes the test case, so the potential for user facing
regression is minimal. If there were issues with the patch, we would see
further issues in the regress test suite.
[Other information]
This only affects questing. Resolute has a newer upstream version that
contains the fix, and in Noble the relevant test is not present to begin
with.
Since this is a test-only change, this can sit in -proposed until
another update is required.
Links:
[1] https://launchpad.net/ubuntu/+source/openssh/1:10.0p1-5ubuntu5.1
[2]
https://github.com/openssh/openssh-portable/commit/f64701ca25795548a61614d0b13391d6dfa7f38c
[3]
https://autopkgtest.ubuntu.com/results/autopkgtest-questing/questing/amd64/o/openssh/20260406_133947_d76c8@/log.gz
** Affects: openssh (Ubuntu)
Importance: Undecided
Assignee: Nick Rosbrook (enr0n)
Status: Fix Released
** Affects: openssh (Ubuntu Questing)
Importance: Undecided
Assignee: Nick Rosbrook (enr0n)
Status: In Progress
** Affects: openssh (Ubuntu Resolute)
Importance: Undecided
Assignee: Nick Rosbrook (enr0n)
Status: Fix Released
** Tags: block-proposed-questing
** Also affects: openssh (Ubuntu Resolute)
Importance: Undecided
Assignee: Nick Rosbrook (enr0n)
Status: New
** Also affects: openssh (Ubuntu Questing)
Importance: Undecided
Status: New
** Changed in: openssh (Ubuntu Resolute)
Status: New => Fix Released
** Changed in: openssh (Ubuntu Questing)
Status: New => In Progress
** Changed in: openssh (Ubuntu Questing)
Assignee: (unassigned) => Nick Rosbrook (enr0n)
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2147451
Title:
openssh: security update on questing introduces autopkgtest regression
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/2147451/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
