Version in base suite: 9.2p1-2+deb12u5

Base version: openssh_9.2p1-2+deb12u5
Target version: openssh_9.2p1-2+deb12u6
Base file: /srv/ftp-master.debian.org/ftp/pool/main/o/openssh/openssh_9.2p1-2+deb12u5.dsc
Target file: /srv/ftp-master.debian.org/policy/pool/main/o/openssh/openssh_9.2p1-2+deb12u6.dsc

 .git-dpm                             |    4 +--
 changelog                            |    8 ++++++
 patches/CVE-2023-48795.patch         |    4 +--
 patches/fix-disable-forwarding.patch |   42 +++++++++++++++++++++++++++++++++++
 patches/gssapi.patch                 |   23 ++++++++++---------
 patches/series                       |    1 
 6 files changed, 67 insertions(+), 15 deletions(-)

diff -Nru openssh-9.2p1/debian/.git-dpm openssh-9.2p1/debian/.git-dpm
--- openssh-9.2p1/debian/.git-dpm	2025-02-14 13:06:46.000000000 +0000
+++ openssh-9.2p1/debian/.git-dpm	2025-05-08 10:54:24.000000000 +0000
@@ -1,6 +1,6 @@
 # see git-dpm(1) from git-dpm package
-b430b77904fa045d5753bad32f6c8a582396db57
-b430b77904fa045d5753bad32f6c8a582396db57
+cf9b65754f0e54de11d075fc7317ae90a1ae4389
+cf9b65754f0e54de11d075fc7317ae90a1ae4389
 cf3c3acb2b8f74eeca7fcee269b1d33ac83f1188
 cf3c3acb2b8f74eeca7fcee269b1d33ac83f1188
 openssh_9.2p1.orig.tar.gz
diff -Nru openssh-9.2p1/debian/changelog openssh-9.2p1/debian/changelog
--- openssh-9.2p1/debian/changelog	2025-02-14 13:06:51.000000000 +0000
+++ openssh-9.2p1/debian/changelog	2025-05-08 10:54:24.000000000 +0000
@@ -1,3 +1,11 @@
+openssh (1:9.2p1-2+deb12u6) bookworm; urgency=medium
+
+  * CVE-2025-32728: sshd(8): fix the DisableForwarding directive, which was
+    failing to disable X11 forwarding and agent forwarding as documented
+    (closes: #1102603).
+
+ -- Colin Watson <cjwatson@debian.org>  Thu, 08 May 2025 11:54:24 +0100
+
 openssh (1:9.2p1-2+deb12u5) bookworm-security; urgency=medium
 
   * CVE-2025-26465: Fix MitM in verify_host_key_callback.
diff -Nru openssh-9.2p1/debian/patches/CVE-2023-48795.patch openssh-9.2p1/debian/patches/CVE-2023-48795.patch
--- openssh-9.2p1/debian/patches/CVE-2023-48795.patch	2025-02-14 13:06:46.000000000 +0000
+++ openssh-9.2p1/debian/patches/CVE-2023-48795.patch	2025-05-08 10:54:24.000000000 +0000
@@ -307,7 +307,7 @@
 +		if (*typep == 0) {
 +			/* no message ready */
 +			return 0;
-+		}
+ 		}
 +		state->keep_alive_timeouts = 0;
 +		DBG(debug("received packet type %d", *typep));
 +
@@ -325,7 +325,7 @@
 +			    ssh_remote_port(ssh), reason, msg);
 +			free(msg);
 +			return SSH_ERR_DISCONNECTED;
- 		}
++		}
 +
 +		/*
 +		 * Do not implicitly handle any messages here during initial
diff -Nru openssh-9.2p1/debian/patches/fix-disable-forwarding.patch openssh-9.2p1/debian/patches/fix-disable-forwarding.patch
--- openssh-9.2p1/debian/patches/fix-disable-forwarding.patch	1970-01-01 00:00:00.000000000 +0000
+++ openssh-9.2p1/debian/patches/fix-disable-forwarding.patch	2025-05-08 10:54:24.000000000 +0000
@@ -0,0 +1,42 @@
+From cf9b65754f0e54de11d075fc7317ae90a1ae4389 Mon Sep 17 00:00:00 2001
+From: "djm@openbsd.org" <djm@openbsd.org>
+Date: Wed, 9 Apr 2025 07:00:03 +0000
+Subject: upstream: Fix logic error in DisableForwarding option. This option
+
+was documented as disabling X11 and agent forwarding but it failed to do so.
+Spotted by Tim Rice.
+
+OpenBSD-Commit-ID: fffc89195968f7eedd2fc57f0b1f1ef3193f5ed1
+
+Origin: upstream, https://anongit.mindrot.org/openssh.git/commit/?id=fc86875e6acb36401dfc1dfb6b628a9d1460f367
+Bug-Debian: https://bugs.debian.org/1102603
+Last-Update: 2025-04-15
+
+Patch-Name: fix-disable-forwarding.patch
+---
+ session.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/session.c b/session.c
+index 492463529..3414ddd49 100644
+--- a/session.c
++++ b/session.c
+@@ -2191,7 +2191,8 @@ session_auth_agent_req(struct ssh *ssh, Session *s)
+ 	if ((r = sshpkt_get_end(ssh)) != 0)
+ 		sshpkt_fatal(ssh, r, "%s: parse packet", __func__);
+ 	if (!auth_opts->permit_agent_forwarding_flag ||
+-	    !options.allow_agent_forwarding) {
++	    !options.allow_agent_forwarding ||
++	    options.disable_forwarding) {
+ 		debug_f("agent forwarding disabled");
+ 		return 0;
+ 	}
+@@ -2579,7 +2580,7 @@ session_setup_x11fwd(struct ssh *ssh, Session *s)
+ 		ssh_packet_send_debug(ssh, "X11 forwarding disabled by key options.");
+ 		return 0;
+ 	}
+-	if (!options.x11_forwarding) {
++	if (!options.x11_forwarding || options.disable_forwarding) {
+ 		debug("X11 forwarding disabled in server configuration file.");
+ 		return 0;
+ 	}
diff -Nru openssh-9.2p1/debian/patches/gssapi.patch openssh-9.2p1/debian/patches/gssapi.patch
--- openssh-9.2p1/debian/patches/gssapi.patch	2025-02-14 13:06:46.000000000 +0000
+++ openssh-9.2p1/debian/patches/gssapi.patch	2025-05-08 10:54:24.000000000 +0000
@@ -36,7 +36,7 @@
  configure.ac    |  24 ++
  gss-genr.c      | 297 +++++++++++++++++++++++-
  gss-serv-krb5.c |  87 ++++++-
- gss-serv.c      | 205 +++++++++++++++--
+ gss-serv.c      | 207 +++++++++++++++--
  kex.c           |  66 +++++-
  kex.h           |  29 +++
  kexdh.c         |  10 +
@@ -64,7 +64,7 @@
  sshd_config.5   |  30 +++
  sshkey.c        |   8 +-
  sshkey.h        |   1 +
- 39 files changed, 2769 insertions(+), 165 deletions(-)
+ 39 files changed, 2770 insertions(+), 166 deletions(-)
  create mode 100644 kexgssc.c
  create mode 100644 kexgsss.c
  create mode 100644 ssh-null.c
@@ -1144,7 +1144,8 @@
 +	int equal = 0;
 +	gss_name_t new_name = GSS_C_NO_NAME;
 +	gss_buffer_desc ename = GSS_C_EMPTY_BUFFER;
-+
+ 
+-	gss_buffer_desc ename;
 +	if (options.gss_store_rekey && client->used && ctx->client_creds) {
 +		if (client->mech->oid.length != ctx->oid->length ||
 +		    (memcmp(client->mech->oid.elements,
@@ -1159,8 +1160,7 @@
 +			ssh_gssapi_error(ctx);
 +			return (ctx->major);
 +		}
- 
--	gss_buffer_desc ename;
++
 +		ctx->major = gss_compare_name(&ctx->minor, client->name,
 +		    new_name, &equal);
 +
@@ -1270,6 +1270,9 @@
 -/* Privileged */
 -OM_uint32
 -ssh_gssapi_checkmic(Gssctxt *ctx, gss_buffer_t gssbuf, gss_buffer_t gssmic)
+-{
+-	ctx->major = gss_verify_mic(&ctx->minor, ctx->context,
+-	    gssbuf, gssmic, NULL);
 +/* These bits are only used for rekeying. The unpriviledged child is running
 + * as the user, the monitor is root.
 + *
@@ -1277,20 +1280,18 @@
 + *    *) Ask the monitor to store our credentials into the store we specify
 + *    *) If it succeeds, maybe do a PAM update
 + */
-+
+ 
+-	return (ctx->major);
 +/* Stuff for PAM */
 +
 +#ifdef USE_PAM
 +static int ssh_gssapi_simple_conv(int n, const struct pam_message **msg,
 +    struct pam_response **resp, void *data)
- {
--	ctx->major = gss_verify_mic(&ctx->minor, ctx->context,
--	    gssbuf, gssmic, NULL);
++{
 +	return (PAM_CONV_ERR);
 +}
 +#endif
- 
--	return (ctx->major);
++
 +void
 +ssh_gssapi_rekey_creds(void) {
 +	int ok;
diff -Nru openssh-9.2p1/debian/patches/series openssh-9.2p1/debian/patches/series
--- openssh-9.2p1/debian/patches/series	2025-02-14 13:06:46.000000000 +0000
+++ openssh-9.2p1/debian/patches/series	2025-05-08 10:54:24.000000000 +0000
@@ -37,3 +37,4 @@
 sntrup761x25519-sha512.patch
 CVE-2025-26465.patch
 incorrect-return-values.patch
+fix-disable-forwarding.patch