Version in base suite: 9.2p1-2+deb12u7 Version in overlay suite: 9.2p1-2+deb12u8 Base version: openssh_9.2p1-2+deb12u8 Target version: openssh_9.2p1-2+deb12u9 Base file: /srv/ftp-master.debian.org/ftp/pool/main/o/openssh/openssh_9.2p1-2+deb12u8.dsc Target file: /srv/ftp-master.debian.org/policy/pool/main/o/openssh/openssh_9.2p1-2+deb12u9.dsc .git-dpm | 4 changelog | 8 + patches/CVE-2023-28531.patch | 2 patches/CVE-2023-38408-1.patch | 2 patches/CVE-2023-38408-2.patch | 2 patches/CVE-2023-38408-3.patch | 2 patches/CVE-2023-48795.patch | 2 patches/CVE-2023-51384.patch | 2 patches/CVE-2023-51385.patch | 2 patches/CVE-2025-26465.patch | 2 patches/CVE-2025-61984-tests.patch | 2 patches/CVE-2025-61984.patch | 2 patches/CVE-2025-61985.patch | 2 patches/Disable-async-signal-unsafe-code-from-the-sshsigdie-.patch | 2 patches/authorized-keys-man-symlink.patch | 2 patches/conch-ssh-rsa.patch | 2 patches/debian-banner.patch | 2 patches/debian-config.patch | 2 patches/dnssec-sshfp.patch | 2 patches/doc-hash-tab-completion.patch | 2 patches/fix-disable-forwarding.patch | 2 patches/gnome-ssh-askpass2-icon.patch | 2 patches/gssapi.patch | 51 +++++----- patches/incorrect-return-values.patch | 2 patches/keepalive-extensions.patch | 2 patches/maxhostnamelen.patch | 2 patches/mention-ssh-keygen-on-keychange.patch | 2 patches/no-openssl-version-status.patch | 2 patches/openbsd-docs.patch | 2 patches/openssl-3-abi-compatibility-test.patch | 2 patches/openssl-3-abi-compatibility.patch | 2 patches/package-versioning.patch | 2 patches/remove-spurious-ssh-agent-options.patch | 2 patches/restore-authorized_keys2.patch | 2 patches/restore-tcp-wrappers.patch | 2 patches/revert-ipqos-defaults.patch | 2 patches/scp-quoting.patch | 2 patches/selinux-role.patch | 2 patches/shell-path.patch | 2 patches/sntrup761x25519-sha512.patch | 2 patches/ssh-agent-setgid.patch | 2 patches/ssh-argv0.patch | 2 patches/ssh-vulnkey-compat.patch | 2 patches/syslog-level-silent.patch | 2 patches/systemd-readiness.patch | 2 patches/systemd-socket-activation.patch | 2 patches/user-group-modes.patch | 2 47 files changed, 80 insertions(+), 71 deletions(-) dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmp2vd3kxle/openssh_9.2p1-2+deb12u8.dsc: no acceptable signature found dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmp2vd3kxle/openssh_9.2p1-2+deb12u9.dsc: no acceptable signature found diff -Nru openssh-9.2p1/debian/.git-dpm openssh-9.2p1/debian/.git-dpm --- openssh-9.2p1/debian/.git-dpm 2026-02-03 13:16:06.000000000 +0000 +++ openssh-9.2p1/debian/.git-dpm 2026-04-04 23:33:20.000000000 +0000 @@ -1,6 +1,6 @@ # see git-dpm(1) from git-dpm package -e5402601353303321fb2953e0b7d45f0838b94db -e5402601353303321fb2953e0b7d45f0838b94db +f17eedbd2398f00fbb96170b60c8d2895318223e +f17eedbd2398f00fbb96170b60c8d2895318223e cf3c3acb2b8f74eeca7fcee269b1d33ac83f1188 cf3c3acb2b8f74eeca7fcee269b1d33ac83f1188 openssh_9.2p1.orig.tar.gz diff -Nru openssh-9.2p1/debian/changelog openssh-9.2p1/debian/changelog --- openssh-9.2p1/debian/changelog 2026-02-03 13:16:06.000000000 +0000 +++ openssh-9.2p1/debian/changelog 2026-04-04 23:33:31.000000000 +0000 @@ -1,3 +1,11 @@ +openssh (1:9.2p1-2+deb12u9) bookworm-security; urgency=medium + + * CVE-2026-3497: Fix incorrect GSS-API error handling; Replace incorrect + use of sshpkt_disconnect() with ssh_packet_disconnect(), and properly + initialize some variables (closes: #1130595; thanks, Marc Deslauriers). + + -- Colin Watson Sun, 05 Apr 2026 00:33:31 +0100 + openssh (1:9.2p1-2+deb12u8) bookworm; urgency=medium * CVE-2025-61984: ssh(1): disallow control characters in usernames passed diff -Nru openssh-9.2p1/debian/patches/CVE-2023-28531.patch openssh-9.2p1/debian/patches/CVE-2023-28531.patch --- openssh-9.2p1/debian/patches/CVE-2023-28531.patch 2026-02-03 13:16:06.000000000 +0000 +++ openssh-9.2p1/debian/patches/CVE-2023-28531.patch 2026-04-04 23:33:20.000000000 +0000 @@ -1,4 +1,4 @@ -From cdd7ccb0c240e0a8b21eacb25da9a310add20251 Mon Sep 17 00:00:00 2001 +From d17072d8dd68dabcd9fea14cd643eadd658b93e5 Mon Sep 17 00:00:00 2001 From: "djm@openbsd.org" Date: Thu, 9 Mar 2023 06:58:26 +0000 Subject: upstream: include destination constraints for smartcard keys too. diff -Nru openssh-9.2p1/debian/patches/CVE-2023-38408-1.patch openssh-9.2p1/debian/patches/CVE-2023-38408-1.patch --- openssh-9.2p1/debian/patches/CVE-2023-38408-1.patch 2026-02-03 13:16:06.000000000 +0000 +++ openssh-9.2p1/debian/patches/CVE-2023-38408-1.patch 2026-04-04 23:33:20.000000000 +0000 @@ -1,4 +1,4 @@ -From d28ccf30cf25d22264819d998102dd72fbf6d312 Mon Sep 17 00:00:00 2001 +From ad4e0b268e0f4fc28522bf0b4e6a86e610601db4 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Thu, 13 Jul 2023 12:09:34 +1000 Subject: terminate pkcs11 process for bad libraries diff -Nru openssh-9.2p1/debian/patches/CVE-2023-38408-2.patch openssh-9.2p1/debian/patches/CVE-2023-38408-2.patch --- openssh-9.2p1/debian/patches/CVE-2023-38408-2.patch 2026-02-03 13:16:06.000000000 +0000 +++ openssh-9.2p1/debian/patches/CVE-2023-38408-2.patch 2026-04-04 23:33:20.000000000 +0000 @@ -1,4 +1,4 @@ -From 26c255d21ebeae770a4df88415c0623c89f047be Mon Sep 17 00:00:00 2001 +From 56689a64d331679fd027c10dd618157b9cfadbd2 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Fri, 7 Jul 2023 13:30:15 +1000 Subject: disallow remote addition of FIDO/PKCS11 keys diff -Nru openssh-9.2p1/debian/patches/CVE-2023-38408-3.patch openssh-9.2p1/debian/patches/CVE-2023-38408-3.patch --- openssh-9.2p1/debian/patches/CVE-2023-38408-3.patch 2026-02-03 13:16:06.000000000 +0000 +++ openssh-9.2p1/debian/patches/CVE-2023-38408-3.patch 2026-04-04 23:33:20.000000000 +0000 @@ -1,4 +1,4 @@ -From 3657590a62106e02d302936bc6b1593ae24de22a Mon Sep 17 00:00:00 2001 +From e3df7d601f093b6bdea7c4c56ef0c0b9f876f9bc Mon Sep 17 00:00:00 2001 From: "djm@openbsd.org" Date: Wed, 19 Jul 2023 14:02:27 +0000 Subject: upstream: Ensure FIDO/PKCS11 libraries contain expected symbols diff -Nru openssh-9.2p1/debian/patches/CVE-2023-48795.patch openssh-9.2p1/debian/patches/CVE-2023-48795.patch --- openssh-9.2p1/debian/patches/CVE-2023-48795.patch 2026-02-03 13:16:06.000000000 +0000 +++ openssh-9.2p1/debian/patches/CVE-2023-48795.patch 2026-04-04 23:33:20.000000000 +0000 @@ -1,4 +1,4 @@ -From 5d09f8bc808a50cb570b3f6782c55384224a488c Mon Sep 17 00:00:00 2001 +From 5e43361fd2629d7279591892b4af1af26c365a7d Mon Sep 17 00:00:00 2001 From: "djm@openbsd.org" Date: Mon, 18 Dec 2023 14:45:17 +0000 Subject: upstream: implement "strict key exchange" in ssh and sshd diff -Nru openssh-9.2p1/debian/patches/CVE-2023-51384.patch openssh-9.2p1/debian/patches/CVE-2023-51384.patch --- openssh-9.2p1/debian/patches/CVE-2023-51384.patch 2026-02-03 13:16:06.000000000 +0000 +++ openssh-9.2p1/debian/patches/CVE-2023-51384.patch 2026-04-04 23:33:20.000000000 +0000 @@ -1,4 +1,4 @@ -From ce0fe1459a5b8824e43e3733538481ea5ecbb0e1 Mon Sep 17 00:00:00 2001 +From 20d0e6f3b2d23797f6d9c95631725d53f5fd2696 Mon Sep 17 00:00:00 2001 From: "djm@openbsd.org" Date: Mon, 18 Dec 2023 14:46:12 +0000 Subject: upstream: apply destination constraints to all p11 keys diff -Nru openssh-9.2p1/debian/patches/CVE-2023-51385.patch openssh-9.2p1/debian/patches/CVE-2023-51385.patch --- openssh-9.2p1/debian/patches/CVE-2023-51385.patch 2026-02-03 13:16:06.000000000 +0000 +++ openssh-9.2p1/debian/patches/CVE-2023-51385.patch 2026-04-04 23:33:20.000000000 +0000 @@ -1,4 +1,4 @@ -From e76c2b15332dbdfc01fa6ff796ad694a7c5c39b4 Mon Sep 17 00:00:00 2001 +From af3d2d9c87cbb283b75b0310eae473b777ff9533 Mon Sep 17 00:00:00 2001 From: "djm@openbsd.org" Date: Mon, 18 Dec 2023 14:47:44 +0000 Subject: upstream: ban user/hostnames with most shell metacharacters diff -Nru openssh-9.2p1/debian/patches/CVE-2025-26465.patch openssh-9.2p1/debian/patches/CVE-2025-26465.patch --- openssh-9.2p1/debian/patches/CVE-2025-26465.patch 2026-02-03 13:16:06.000000000 +0000 +++ openssh-9.2p1/debian/patches/CVE-2025-26465.patch 2026-04-04 23:33:20.000000000 +0000 @@ -1,4 +1,4 @@ -From 7b5cdb866db7c75c50c800fb4750e42392ebbf43 Mon Sep 17 00:00:00 2001 +From b9ba90aa69becfdc17531d2a0613f1731cfe6977 Mon Sep 17 00:00:00 2001 From: Colin Watson Date: Fri, 14 Feb 2025 00:13:11 +0000 Subject: CVE-2025-26465: Fix MitM in verify_host_key_callback diff -Nru openssh-9.2p1/debian/patches/CVE-2025-61984-tests.patch openssh-9.2p1/debian/patches/CVE-2025-61984-tests.patch --- openssh-9.2p1/debian/patches/CVE-2025-61984-tests.patch 2026-02-03 13:16:06.000000000 +0000 +++ openssh-9.2p1/debian/patches/CVE-2025-61984-tests.patch 2026-04-04 23:33:20.000000000 +0000 @@ -1,4 +1,4 @@ -From e5402601353303321fb2953e0b7d45f0838b94db Mon Sep 17 00:00:00 2001 +From f17eedbd2398f00fbb96170b60c8d2895318223e Mon Sep 17 00:00:00 2001 From: "djm@openbsd.org" Date: Thu, 4 Sep 2025 03:04:44 +0000 Subject: Add more username validity checks diff -Nru openssh-9.2p1/debian/patches/CVE-2025-61984.patch openssh-9.2p1/debian/patches/CVE-2025-61984.patch --- openssh-9.2p1/debian/patches/CVE-2025-61984.patch 2026-02-03 13:16:06.000000000 +0000 +++ openssh-9.2p1/debian/patches/CVE-2025-61984.patch 2026-04-04 23:33:20.000000000 +0000 @@ -1,4 +1,4 @@ -From cab036bedba20f6f11a9fd3baab79645a2c30d4c Mon Sep 17 00:00:00 2001 +From 8d3eae0cb6c443f5b3747aedde770fbeee7317f9 Mon Sep 17 00:00:00 2001 From: "djm@openbsd.org" Date: Thu, 4 Sep 2025 00:29:09 +0000 Subject: Refuse usernames that include control characters diff -Nru openssh-9.2p1/debian/patches/CVE-2025-61985.patch openssh-9.2p1/debian/patches/CVE-2025-61985.patch --- openssh-9.2p1/debian/patches/CVE-2025-61985.patch 2026-02-03 13:16:06.000000000 +0000 +++ openssh-9.2p1/debian/patches/CVE-2025-61985.patch 2026-04-04 23:33:20.000000000 +0000 @@ -1,4 +1,4 @@ -From 48b09ff880d30b95d18273b02601097abeb12b9d Mon Sep 17 00:00:00 2001 +From 2ada375659b2c3d1f85739bc1ceaefb9f9128600 Mon Sep 17 00:00:00 2001 From: "djm@openbsd.org" Date: Thu, 4 Sep 2025 00:30:06 +0000 Subject: upstream: don't allow \0 characters in url-encoded strings. diff -Nru openssh-9.2p1/debian/patches/Disable-async-signal-unsafe-code-from-the-sshsigdie-.patch openssh-9.2p1/debian/patches/Disable-async-signal-unsafe-code-from-the-sshsigdie-.patch --- openssh-9.2p1/debian/patches/Disable-async-signal-unsafe-code-from-the-sshsigdie-.patch 2026-02-03 13:16:06.000000000 +0000 +++ openssh-9.2p1/debian/patches/Disable-async-signal-unsafe-code-from-the-sshsigdie-.patch 2026-04-04 23:33:20.000000000 +0000 @@ -1,4 +1,4 @@ -From 423c6fe52d13614994827e5cee65dac925232855 Mon Sep 17 00:00:00 2001 +From d16db6f3339bbe3e43e9a8116346bf00196ebc64 Mon Sep 17 00:00:00 2001 From: Salvatore Bonaccorso Date: Sat, 22 Jun 2024 21:33:03 +0200 Subject: Disable async-signal-unsafe code from the sshsigdie() function diff -Nru openssh-9.2p1/debian/patches/authorized-keys-man-symlink.patch openssh-9.2p1/debian/patches/authorized-keys-man-symlink.patch --- openssh-9.2p1/debian/patches/authorized-keys-man-symlink.patch 2026-02-03 13:16:06.000000000 +0000 +++ openssh-9.2p1/debian/patches/authorized-keys-man-symlink.patch 2026-04-04 23:33:20.000000000 +0000 @@ -1,4 +1,4 @@ -From dee22f6f22efc21f49e55620c978023f43cf336d Mon Sep 17 00:00:00 2001 +From a817885b63c510f6caba684e9371dc59940403d8 Mon Sep 17 00:00:00 2001 From: Tomas Pospisek Date: Sun, 9 Feb 2014 16:10:07 +0000 Subject: Install authorized_keys(5) as a symlink to sshd(8) diff -Nru openssh-9.2p1/debian/patches/conch-ssh-rsa.patch openssh-9.2p1/debian/patches/conch-ssh-rsa.patch --- openssh-9.2p1/debian/patches/conch-ssh-rsa.patch 2026-02-03 13:16:06.000000000 +0000 +++ openssh-9.2p1/debian/patches/conch-ssh-rsa.patch 2026-04-04 23:33:20.000000000 +0000 @@ -1,4 +1,4 @@ -From 6d532487bc6c01eacf3f5f92a3239d9ff84a9f61 Mon Sep 17 00:00:00 2001 +From b37909737bf937789947b0e7d49c905cb8eff978 Mon Sep 17 00:00:00 2001 From: Colin Watson Date: Tue, 15 Feb 2022 18:25:35 +0000 Subject: Work around RSA SHA-2 signature issues in conch diff -Nru openssh-9.2p1/debian/patches/debian-banner.patch openssh-9.2p1/debian/patches/debian-banner.patch --- openssh-9.2p1/debian/patches/debian-banner.patch 2026-02-03 13:16:06.000000000 +0000 +++ openssh-9.2p1/debian/patches/debian-banner.patch 2026-04-04 23:33:20.000000000 +0000 @@ -1,4 +1,4 @@ -From 250ea677f62ee37a800e49d5d68683eb4ff241f7 Mon Sep 17 00:00:00 2001 +From 47e879b5122436ff563afb91e319a78881118336 Mon Sep 17 00:00:00 2001 From: Kees Cook Date: Sun, 9 Feb 2014 16:10:06 +0000 Subject: Add DebianBanner server configuration option diff -Nru openssh-9.2p1/debian/patches/debian-config.patch openssh-9.2p1/debian/patches/debian-config.patch --- openssh-9.2p1/debian/patches/debian-config.patch 2026-02-03 13:16:06.000000000 +0000 +++ openssh-9.2p1/debian/patches/debian-config.patch 2026-04-04 23:33:20.000000000 +0000 @@ -1,4 +1,4 @@ -From 4363eb93bc775a6e759c1682da4f3a69543717bd Mon Sep 17 00:00:00 2001 +From c132dd740fb127fdf71735b69093d3058f09f98a Mon Sep 17 00:00:00 2001 From: Colin Watson Date: Sun, 9 Feb 2014 16:10:18 +0000 Subject: Various Debian-specific configuration changes diff -Nru openssh-9.2p1/debian/patches/dnssec-sshfp.patch openssh-9.2p1/debian/patches/dnssec-sshfp.patch --- openssh-9.2p1/debian/patches/dnssec-sshfp.patch 2026-02-03 13:16:06.000000000 +0000 +++ openssh-9.2p1/debian/patches/dnssec-sshfp.patch 2026-04-04 23:33:20.000000000 +0000 @@ -1,4 +1,4 @@ -From b19054b02f64d320194f86e305a9d97053c9ab01 Mon Sep 17 00:00:00 2001 +From 461a8f7d31154ccbf95927c67c7be477802210f6 Mon Sep 17 00:00:00 2001 From: Colin Watson Date: Sun, 9 Feb 2014 16:10:01 +0000 Subject: Force use of DNSSEC even if "options edns0" isn't in resolv.conf diff -Nru openssh-9.2p1/debian/patches/doc-hash-tab-completion.patch openssh-9.2p1/debian/patches/doc-hash-tab-completion.patch --- openssh-9.2p1/debian/patches/doc-hash-tab-completion.patch 2026-02-03 13:16:06.000000000 +0000 +++ openssh-9.2p1/debian/patches/doc-hash-tab-completion.patch 2026-04-04 23:33:20.000000000 +0000 @@ -1,4 +1,4 @@ -From fc51509b693b1b31ad48b93019da576edb905e13 Mon Sep 17 00:00:00 2001 +From 71b05455c09e8de3a7d06e4305e52e56de6b1860 Mon Sep 17 00:00:00 2001 From: Colin Watson Date: Sun, 9 Feb 2014 16:10:11 +0000 Subject: Document that HashKnownHosts may break tab-completion diff -Nru openssh-9.2p1/debian/patches/fix-disable-forwarding.patch openssh-9.2p1/debian/patches/fix-disable-forwarding.patch --- openssh-9.2p1/debian/patches/fix-disable-forwarding.patch 2026-02-03 13:16:06.000000000 +0000 +++ openssh-9.2p1/debian/patches/fix-disable-forwarding.patch 2026-04-04 23:33:20.000000000 +0000 @@ -1,4 +1,4 @@ -From d69f6291ca7b1d7315a54aa50c1538f97b7b1f8f Mon Sep 17 00:00:00 2001 +From 95b236584c7dd434cfcb904cca94ca298b706102 Mon Sep 17 00:00:00 2001 From: "djm@openbsd.org" Date: Wed, 9 Apr 2025 07:00:03 +0000 Subject: upstream: Fix logic error in DisableForwarding option. This option diff -Nru openssh-9.2p1/debian/patches/gnome-ssh-askpass2-icon.patch openssh-9.2p1/debian/patches/gnome-ssh-askpass2-icon.patch --- openssh-9.2p1/debian/patches/gnome-ssh-askpass2-icon.patch 2026-02-03 13:16:06.000000000 +0000 +++ openssh-9.2p1/debian/patches/gnome-ssh-askpass2-icon.patch 2026-04-04 23:33:20.000000000 +0000 @@ -1,4 +1,4 @@ -From deab71aa1b1bffb0f036ce681045aad80a846db4 Mon Sep 17 00:00:00 2001 +From 091f33f08b04c6365a4293fa198af81036b93599 Mon Sep 17 00:00:00 2001 From: Vincent Untz Date: Sun, 9 Feb 2014 16:10:16 +0000 Subject: Give the ssh-askpass-gnome window a default icon diff -Nru openssh-9.2p1/debian/patches/gssapi.patch openssh-9.2p1/debian/patches/gssapi.patch --- openssh-9.2p1/debian/patches/gssapi.patch 2026-02-03 13:16:06.000000000 +0000 +++ openssh-9.2p1/debian/patches/gssapi.patch 2026-04-04 23:33:20.000000000 +0000 @@ -1,4 +1,4 @@ -From 03e7fd7bd4470a1322fa8da42789577cc5b1d7ec Mon Sep 17 00:00:00 2001 +From c65263926dfdbce12a49b7fc3824fe701a9d19bd Mon Sep 17 00:00:00 2001 From: Simon Wilkinson Date: Sun, 9 Feb 2014 16:09:48 +0000 Subject: GSSAPI key exchange support @@ -21,7 +21,7 @@ Author: Jakub Jelen Origin: other, https://github.com/openssh-gsskex/openssh-gsskex/pull/23 Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1242 -Last-Updated: 2024-12-03 +Last-Updated: 2026-03-29 Patch-Name: gssapi.patch --- @@ -42,7 +42,7 @@ kexdh.c | 10 + kexgen.c | 2 +- kexgssc.c | 599 ++++++++++++++++++++++++++++++++++++++++++++++++ - kexgsss.c | 474 ++++++++++++++++++++++++++++++++++++++ + kexgsss.c | 475 ++++++++++++++++++++++++++++++++++++++ monitor.c | 139 ++++++++++- monitor.h | 2 + monitor_wrap.c | 57 ++++- @@ -64,7 +64,7 @@ sshd_config.5 | 30 +++ sshkey.c | 8 +- sshkey.h | 1 + - 39 files changed, 2770 insertions(+), 166 deletions(-) + 39 files changed, 2771 insertions(+), 166 deletions(-) create mode 100644 kexgssc.c create mode 100644 kexgsss.c create mode 100644 ssh-null.c @@ -1597,7 +1597,7 @@ const struct sshbuf *client_version, diff --git a/kexgssc.c b/kexgssc.c new file mode 100644 -index 000000000..1c62740e7 +index 000000000..feca2a901 --- /dev/null +++ b/kexgssc.c @@ -0,0 +1,599 @@ @@ -1655,8 +1655,8 @@ +{ + struct kex *kex = ssh->kex; + gss_buffer_desc send_tok = GSS_C_EMPTY_BUFFER, -+ recv_tok = GSS_C_EMPTY_BUFFER, -+ gssbuf, msg_tok = GSS_C_EMPTY_BUFFER, *token_ptr; ++ recv_tok = GSS_C_EMPTY_BUFFER, gssbuf = GSS_C_EMPTY_BUFFER, ++ msg_tok = GSS_C_EMPTY_BUFFER, *token_ptr; + Gssctxt *ctxt; + OM_uint32 maj_status, min_status, ret_flags; + struct sshbuf *server_blob = NULL; @@ -1801,11 +1801,11 @@ + fatal("Failed to read token: %s", ssh_err(r)); + /* If we're already complete - protocol error */ + if (maj_status == GSS_S_COMPLETE) -+ sshpkt_disconnect(ssh, "Protocol error: received token when complete"); ++ ssh_packet_disconnect(ssh, "Protocol error: received token when complete"); + } else { + /* No token included */ + if (maj_status != GSS_S_COMPLETE) -+ sshpkt_disconnect(ssh, "Protocol error: did not receive final token"); ++ ssh_packet_disconnect(ssh, "Protocol error: did not receive final token"); + } + if ((r = sshpkt_get_end(ssh)) != 0) { + fatal("Expecting end of packet."); @@ -1821,7 +1821,7 @@ + fatal("sshpkt_get failed: %s", ssh_err(r)); + fatal("GSSAPI Error: \n%.400s", msg); + default: -+ sshpkt_disconnect(ssh, "Protocol error: didn't expect packet type %d", ++ ssh_packet_disconnect(ssh, "Protocol error: didn't expect packet type %d", + type); + } + token_ptr = &recv_tok; @@ -1894,7 +1894,7 @@ + + /* Verify that the hash matches the MIC we just got. */ + if (GSS_ERROR(ssh_gssapi_checkmic(ctxt, &gssbuf, &msg_tok))) -+ sshpkt_disconnect(ssh, "Hash's MIC didn't verify"); ++ ssh_packet_disconnect(ssh, "Hash's MIC didn't verify"); + + gss_release_buffer(&min_status, &msg_tok); + @@ -1926,8 +1926,8 @@ +{ + struct kex *kex = ssh->kex; + gss_buffer_desc send_tok = GSS_C_EMPTY_BUFFER, -+ recv_tok = GSS_C_EMPTY_BUFFER, gssbuf, -+ msg_tok = GSS_C_EMPTY_BUFFER, *token_ptr; ++ recv_tok = GSS_C_EMPTY_BUFFER, gssbuf = GSS_C_EMPTY_BUFFER, ++ msg_tok = GSS_C_EMPTY_BUFFER, *token_ptr; + Gssctxt *ctxt; + OM_uint32 maj_status, min_status, ret_flags; + struct sshbuf *shared_secret = NULL; @@ -2093,11 +2093,11 @@ + fatal("sshpkt failed: %s", ssh_err(r)); + /* If we're already complete - protocol error */ + if (maj_status == GSS_S_COMPLETE) -+ sshpkt_disconnect(ssh, "Protocol error: received token when complete"); ++ ssh_packet_disconnect(ssh, "Protocol error: received token when complete"); + } else { + /* No token included */ + if (maj_status != GSS_S_COMPLETE) -+ sshpkt_disconnect(ssh, "Protocol error: did not receive final token"); ++ ssh_packet_disconnect(ssh, "Protocol error: did not receive final token"); + } + break; + case SSH2_MSG_KEXGSS_ERROR: @@ -2110,7 +2110,7 @@ + fatal("sshpkt failed: %s", ssh_err(r)); + fatal("GSSAPI Error: \n%.400s", msg); + default: -+ sshpkt_disconnect(ssh, "Protocol error: didn't expect packet type %d", ++ ssh_packet_disconnect(ssh, "Protocol error: didn't expect packet type %d", + type); + } + token_ptr = &recv_tok; @@ -2172,7 +2172,7 @@ + + /* Verify that the hash matches the MIC we just got. */ + if (GSS_ERROR(ssh_gssapi_checkmic(ctxt, &gssbuf, &msg_tok))) -+ sshpkt_disconnect(ssh, "Hash's MIC didn't verify"); ++ ssh_packet_disconnect(ssh, "Hash's MIC didn't verify"); + + gss_release_buffer(&min_status, &msg_tok); + @@ -2202,10 +2202,10 @@ +#endif /* defined(GSSAPI) && defined(WITH_OPENSSL) */ diff --git a/kexgsss.c b/kexgsss.c new file mode 100644 -index 000000000..a2c02148b +index 000000000..aa546be74 --- /dev/null +++ b/kexgsss.c -@@ -0,0 +1,474 @@ +@@ -0,0 +1,475 @@ +/* + * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved. + * @@ -2272,7 +2272,8 @@ + */ + + OM_uint32 ret_flags = 0; -+ gss_buffer_desc gssbuf, recv_tok, msg_tok; ++ gss_buffer_desc gssbuf = GSS_C_EMPTY_BUFFER, ++ recv_tok = GSS_C_EMPTY_BUFFER, msg_tok = GSS_C_EMPTY_BUFFER; + gss_buffer_desc send_tok = GSS_C_EMPTY_BUFFER; + Gssctxt *ctxt = NULL; + struct sshbuf *shared_secret = NULL; @@ -2351,7 +2352,7 @@ + fatal("sshpkt failed: %s", ssh_err(r)); + break; + default: -+ sshpkt_disconnect(ssh, ++ ssh_packet_disconnect(ssh, + "Protocol error: didn't expect packet type %d", + type); + } @@ -2467,7 +2468,8 @@ + */ + + OM_uint32 ret_flags = 0; -+ gss_buffer_desc gssbuf, recv_tok, msg_tok; ++ gss_buffer_desc gssbuf = GSS_C_EMPTY_BUFFER, ++ recv_tok = GSS_C_EMPTY_BUFFER, msg_tok = GSS_C_EMPTY_BUFFER; + gss_buffer_desc send_tok = GSS_C_EMPTY_BUFFER; + Gssctxt *ctxt = NULL; + struct sshbuf *shared_secret = NULL; @@ -2524,8 +2526,7 @@ + min, nbits, max); + kex->dh = PRIVSEP(choose_dh(min, nbits, max)); + if (kex->dh == NULL) { -+ sshpkt_disconnect(ssh, "Protocol error: no matching group found"); -+ fatal("Protocol error: no matching group found"); ++ ssh_packet_disconnect(ssh, "Protocol error: no matching group found"); + } + + DH_get0_pqg(kex->dh, &dh_p, NULL, &dh_g); @@ -2564,7 +2565,7 @@ + fatal("sshpkt failed: %s", ssh_err(r)); + break; + default: -+ sshpkt_disconnect(ssh, ++ ssh_packet_disconnect(ssh, + "Protocol error: didn't expect packet type %d", + type); + } diff -Nru openssh-9.2p1/debian/patches/incorrect-return-values.patch openssh-9.2p1/debian/patches/incorrect-return-values.patch --- openssh-9.2p1/debian/patches/incorrect-return-values.patch 2026-02-03 13:16:06.000000000 +0000 +++ openssh-9.2p1/debian/patches/incorrect-return-values.patch 2026-04-04 23:33:20.000000000 +0000 @@ -1,4 +1,4 @@ -From 902b3eaff361ec5fe9aeb77b91d0c3f721621beb Mon Sep 17 00:00:00 2001 +From 88bf837d1e6ce1025047a97d4f6901f2a60b3771 Mon Sep 17 00:00:00 2001 From: Colin Watson Date: Fri, 14 Feb 2025 00:24:52 +0000 Subject: Fix incorrect return values on a number of error paths diff -Nru openssh-9.2p1/debian/patches/keepalive-extensions.patch openssh-9.2p1/debian/patches/keepalive-extensions.patch --- openssh-9.2p1/debian/patches/keepalive-extensions.patch 2026-02-03 13:16:06.000000000 +0000 +++ openssh-9.2p1/debian/patches/keepalive-extensions.patch 2026-04-04 23:33:20.000000000 +0000 @@ -1,4 +1,4 @@ -From 88e35da8605f70f062e5aafd223098e158425aa4 Mon Sep 17 00:00:00 2001 +From f0152b64367b79554f55a71d84e68c3d29d61e85 Mon Sep 17 00:00:00 2001 From: Richard Kettlewell Date: Sun, 9 Feb 2014 16:09:52 +0000 Subject: Various keepalive extensions diff -Nru openssh-9.2p1/debian/patches/maxhostnamelen.patch openssh-9.2p1/debian/patches/maxhostnamelen.patch --- openssh-9.2p1/debian/patches/maxhostnamelen.patch 2026-02-03 13:16:06.000000000 +0000 +++ openssh-9.2p1/debian/patches/maxhostnamelen.patch 2026-04-04 23:33:20.000000000 +0000 @@ -1,4 +1,4 @@ -From 0de61f52e23476a50b05d8bc7aab66adb411defd Mon Sep 17 00:00:00 2001 +From 295310dd73d907c4fd9c4882739a2b82c18b4ada Mon Sep 17 00:00:00 2001 From: Svante Signell Date: Fri, 5 Nov 2021 23:22:53 +0000 Subject: Define MAXHOSTNAMELEN on GNU/Hurd diff -Nru openssh-9.2p1/debian/patches/mention-ssh-keygen-on-keychange.patch openssh-9.2p1/debian/patches/mention-ssh-keygen-on-keychange.patch --- openssh-9.2p1/debian/patches/mention-ssh-keygen-on-keychange.patch 2026-02-03 13:16:06.000000000 +0000 +++ openssh-9.2p1/debian/patches/mention-ssh-keygen-on-keychange.patch 2026-04-04 23:33:20.000000000 +0000 @@ -1,4 +1,4 @@ -From faaa7e24f0440213fab3558ffbd8119c04f4ae12 Mon Sep 17 00:00:00 2001 +From e011a4c78a843be85b49374f7f255f3aae884c1f Mon Sep 17 00:00:00 2001 From: Scott Moser Date: Sun, 9 Feb 2014 16:10:03 +0000 Subject: Mention ssh-keygen in ssh fingerprint changed warning diff -Nru openssh-9.2p1/debian/patches/no-openssl-version-status.patch openssh-9.2p1/debian/patches/no-openssl-version-status.patch --- openssh-9.2p1/debian/patches/no-openssl-version-status.patch 2026-02-03 13:16:06.000000000 +0000 +++ openssh-9.2p1/debian/patches/no-openssl-version-status.patch 2026-04-04 23:33:20.000000000 +0000 @@ -1,4 +1,4 @@ -From 6512a9b0020d9c7a63d6e0cf237da4c088489a7b Mon Sep 17 00:00:00 2001 +From 9d87a74dbcdb1e3732c8c9f1abee939638fda725 Mon Sep 17 00:00:00 2001 From: Kurt Roeckx Date: Sun, 9 Feb 2014 16:10:14 +0000 Subject: Don't check the status field of the OpenSSL version diff -Nru openssh-9.2p1/debian/patches/openbsd-docs.patch openssh-9.2p1/debian/patches/openbsd-docs.patch --- openssh-9.2p1/debian/patches/openbsd-docs.patch 2026-02-03 13:16:06.000000000 +0000 +++ openssh-9.2p1/debian/patches/openbsd-docs.patch 2026-04-04 23:33:20.000000000 +0000 @@ -1,4 +1,4 @@ -From e76555b386bf0a09ac60b4de7cd46960ca736164 Mon Sep 17 00:00:00 2001 +From a967c10d51a4b16fbb6df0190bb1c5e7ee5c1819 Mon Sep 17 00:00:00 2001 From: Colin Watson Date: Sun, 9 Feb 2014 16:10:09 +0000 Subject: Adjust various OpenBSD-specific references in manual pages diff -Nru openssh-9.2p1/debian/patches/openssl-3-abi-compatibility-test.patch openssh-9.2p1/debian/patches/openssl-3-abi-compatibility-test.patch --- openssh-9.2p1/debian/patches/openssl-3-abi-compatibility-test.patch 2026-02-03 13:16:06.000000000 +0000 +++ openssh-9.2p1/debian/patches/openssl-3-abi-compatibility-test.patch 2026-04-04 23:33:20.000000000 +0000 @@ -1,4 +1,4 @@ -From f32089dd98a157929164f1f38ba88d3114e63312 Mon Sep 17 00:00:00 2001 +From bab400123c7e33e44f1e877251f781132a7eb95c Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Tue, 9 May 2023 17:12:50 +1000 Subject: Update OpenSSL compat test for 3.x. diff -Nru openssh-9.2p1/debian/patches/openssl-3-abi-compatibility.patch openssh-9.2p1/debian/patches/openssl-3-abi-compatibility.patch --- openssh-9.2p1/debian/patches/openssl-3-abi-compatibility.patch 2026-02-03 13:16:06.000000000 +0000 +++ openssh-9.2p1/debian/patches/openssl-3-abi-compatibility.patch 2026-04-04 23:33:20.000000000 +0000 @@ -1,4 +1,4 @@ -From 45e9a6aeb8179ed7bf306785f042fef6137e866a Mon Sep 17 00:00:00 2001 +From 1c4180550eaa3da07e5ff78a2c38d4f267d80db2 Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Mon, 8 May 2023 20:12:59 +1000 Subject: Handle OpenSSL >=3 ABI compatibility. diff -Nru openssh-9.2p1/debian/patches/package-versioning.patch openssh-9.2p1/debian/patches/package-versioning.patch --- openssh-9.2p1/debian/patches/package-versioning.patch 2026-02-03 13:16:06.000000000 +0000 +++ openssh-9.2p1/debian/patches/package-versioning.patch 2026-04-04 23:33:20.000000000 +0000 @@ -1,4 +1,4 @@ -From 62a119032fb35d2494730603d01ea384e144f82a Mon Sep 17 00:00:00 2001 +From 5112b18efe5f92c5e3b21a3aea8d9d41582d572f Mon Sep 17 00:00:00 2001 From: Matthew Vernon Date: Sun, 9 Feb 2014 16:10:05 +0000 Subject: Include the Debian version in our identification diff -Nru openssh-9.2p1/debian/patches/remove-spurious-ssh-agent-options.patch openssh-9.2p1/debian/patches/remove-spurious-ssh-agent-options.patch --- openssh-9.2p1/debian/patches/remove-spurious-ssh-agent-options.patch 2026-02-03 13:16:06.000000000 +0000 +++ openssh-9.2p1/debian/patches/remove-spurious-ssh-agent-options.patch 2026-04-04 23:33:20.000000000 +0000 @@ -1,4 +1,4 @@ -From d6a6e02729e06e77a8068122ee88ec391789fd4c Mon Sep 17 00:00:00 2001 +From 4c67c4f548ac13939cf0599adb3cbdd67b368afc Mon Sep 17 00:00:00 2001 From: Colin Watson Date: Tue, 7 Feb 2023 23:55:19 +0000 Subject: Remove spurious ssh-agent options diff -Nru openssh-9.2p1/debian/patches/restore-authorized_keys2.patch openssh-9.2p1/debian/patches/restore-authorized_keys2.patch --- openssh-9.2p1/debian/patches/restore-authorized_keys2.patch 2026-02-03 13:16:06.000000000 +0000 +++ openssh-9.2p1/debian/patches/restore-authorized_keys2.patch 2026-04-04 23:33:20.000000000 +0000 @@ -1,4 +1,4 @@ -From 808fc9c9fe9af878a8d2ad8db47ea01292d2740d Mon Sep 17 00:00:00 2001 +From afc9d494b9e2d6ab3aef194d958a00c325da77b2 Mon Sep 17 00:00:00 2001 From: Colin Watson Date: Sun, 5 Mar 2017 02:02:11 +0000 Subject: Restore reading authorized_keys2 by default diff -Nru openssh-9.2p1/debian/patches/restore-tcp-wrappers.patch openssh-9.2p1/debian/patches/restore-tcp-wrappers.patch --- openssh-9.2p1/debian/patches/restore-tcp-wrappers.patch 2026-02-03 13:16:06.000000000 +0000 +++ openssh-9.2p1/debian/patches/restore-tcp-wrappers.patch 2026-04-04 23:33:20.000000000 +0000 @@ -1,4 +1,4 @@ -From b43542890d0f92850e5c8bbd30f62204791fce98 Mon Sep 17 00:00:00 2001 +From 8c3de439bb486812ed3a63d24573c58f2c96dc70 Mon Sep 17 00:00:00 2001 From: Colin Watson Date: Tue, 7 Oct 2014 13:22:41 +0100 Subject: Restore TCP wrappers support diff -Nru openssh-9.2p1/debian/patches/revert-ipqos-defaults.patch openssh-9.2p1/debian/patches/revert-ipqos-defaults.patch --- openssh-9.2p1/debian/patches/revert-ipqos-defaults.patch 2026-02-03 13:16:06.000000000 +0000 +++ openssh-9.2p1/debian/patches/revert-ipqos-defaults.patch 2026-04-04 23:33:20.000000000 +0000 @@ -1,4 +1,4 @@ -From 8ec019ee41a379ba31344b0dc767b0aeb9c12fd5 Mon Sep 17 00:00:00 2001 +From 44ec3907fe80286c2cc81858b0067e0ab49ce6b4 Mon Sep 17 00:00:00 2001 From: Colin Watson Date: Mon, 8 Apr 2019 10:46:29 +0100 Subject: Revert "upstream: Update default IPQoS in ssh(1), sshd(8) to DSCP diff -Nru openssh-9.2p1/debian/patches/scp-quoting.patch openssh-9.2p1/debian/patches/scp-quoting.patch --- openssh-9.2p1/debian/patches/scp-quoting.patch 2026-02-03 13:16:06.000000000 +0000 +++ openssh-9.2p1/debian/patches/scp-quoting.patch 2026-04-04 23:33:20.000000000 +0000 @@ -1,4 +1,4 @@ -From 3e9d83c98093d1485e33eb94f8449c2b0683ebc8 Mon Sep 17 00:00:00 2001 +From 260c1cd8bc98c0040e4b30e1190da0b79dfed1d7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nicolas=20Valc=C3=A1rcel?= Date: Sun, 9 Feb 2014 16:09:59 +0000 Subject: Adjust scp quoting in verbose mode diff -Nru openssh-9.2p1/debian/patches/selinux-role.patch openssh-9.2p1/debian/patches/selinux-role.patch --- openssh-9.2p1/debian/patches/selinux-role.patch 2026-02-03 13:16:06.000000000 +0000 +++ openssh-9.2p1/debian/patches/selinux-role.patch 2026-04-04 23:33:20.000000000 +0000 @@ -1,4 +1,4 @@ -From 07fb0a9e6b42cdb0225517609e60165beb268ceb Mon Sep 17 00:00:00 2001 +From 37927b2753dd7ebc6cbaa2a7e8bf642d4fced14c Mon Sep 17 00:00:00 2001 From: Manoj Srivastava Date: Sun, 9 Feb 2014 16:09:49 +0000 Subject: Handle SELinux authorisation roles diff -Nru openssh-9.2p1/debian/patches/shell-path.patch openssh-9.2p1/debian/patches/shell-path.patch --- openssh-9.2p1/debian/patches/shell-path.patch 2026-02-03 13:16:06.000000000 +0000 +++ openssh-9.2p1/debian/patches/shell-path.patch 2026-04-04 23:33:20.000000000 +0000 @@ -1,4 +1,4 @@ -From 695ba53a206de76d33d734ba359c4203088368cb Mon Sep 17 00:00:00 2001 +From 76f73b1a1cb01e6fbe8f64ffad6f0ee8e2693a88 Mon Sep 17 00:00:00 2001 From: Colin Watson Date: Sun, 9 Feb 2014 16:10:00 +0000 Subject: Look for $SHELL on the path for ProxyCommand/LocalCommand diff -Nru openssh-9.2p1/debian/patches/sntrup761x25519-sha512.patch openssh-9.2p1/debian/patches/sntrup761x25519-sha512.patch --- openssh-9.2p1/debian/patches/sntrup761x25519-sha512.patch 2026-02-03 13:16:06.000000000 +0000 +++ openssh-9.2p1/debian/patches/sntrup761x25519-sha512.patch 2026-04-04 23:33:20.000000000 +0000 @@ -1,4 +1,4 @@ -From 28483d6bfa7171cb3569b9650191a4ea03d2c157 Mon Sep 17 00:00:00 2001 +From 599f3a72fdf274d58e8d2db73c0afe92a9037355 Mon Sep 17 00:00:00 2001 From: "djm@openbsd.org" Date: Thu, 22 Aug 2024 23:11:30 +0000 Subject: upstream: sntrup761x25519-sha512 now has an IANA codepoint assigned, diff -Nru openssh-9.2p1/debian/patches/ssh-agent-setgid.patch openssh-9.2p1/debian/patches/ssh-agent-setgid.patch --- openssh-9.2p1/debian/patches/ssh-agent-setgid.patch 2026-02-03 13:16:06.000000000 +0000 +++ openssh-9.2p1/debian/patches/ssh-agent-setgid.patch 2026-04-04 23:33:20.000000000 +0000 @@ -1,4 +1,4 @@ -From d5a2ba7af682ae724440edb5030094b19455fd98 Mon Sep 17 00:00:00 2001 +From 5574e44dd7d5ddded6f4756b5a31b6fb030ba4df Mon Sep 17 00:00:00 2001 From: Colin Watson Date: Sun, 9 Feb 2014 16:10:13 +0000 Subject: Document consequences of ssh-agent being setgid in ssh-agent(1) diff -Nru openssh-9.2p1/debian/patches/ssh-argv0.patch openssh-9.2p1/debian/patches/ssh-argv0.patch --- openssh-9.2p1/debian/patches/ssh-argv0.patch 2026-02-03 13:16:06.000000000 +0000 +++ openssh-9.2p1/debian/patches/ssh-argv0.patch 2026-04-04 23:33:20.000000000 +0000 @@ -1,4 +1,4 @@ -From 415984f4dba214dbd469af8bd5ba88a8eaf87bac Mon Sep 17 00:00:00 2001 +From 8d765ddad95a2b0f63646865a545fe666dc43c80 Mon Sep 17 00:00:00 2001 From: Colin Watson Date: Sun, 9 Feb 2014 16:10:10 +0000 Subject: ssh(1): Refer to ssh-argv0(1) diff -Nru openssh-9.2p1/debian/patches/ssh-vulnkey-compat.patch openssh-9.2p1/debian/patches/ssh-vulnkey-compat.patch --- openssh-9.2p1/debian/patches/ssh-vulnkey-compat.patch 2026-02-03 13:16:06.000000000 +0000 +++ openssh-9.2p1/debian/patches/ssh-vulnkey-compat.patch 2026-04-04 23:33:20.000000000 +0000 @@ -1,4 +1,4 @@ -From 29e019028843d1b63f95854f425b8efe69317b6a Mon Sep 17 00:00:00 2001 +From 226d619b6bf93334fa5b1f13d419c32879eb8ed9 Mon Sep 17 00:00:00 2001 From: Colin Watson Date: Sun, 9 Feb 2014 16:09:50 +0000 Subject: Accept obsolete ssh-vulnkey configuration options diff -Nru openssh-9.2p1/debian/patches/syslog-level-silent.patch openssh-9.2p1/debian/patches/syslog-level-silent.patch --- openssh-9.2p1/debian/patches/syslog-level-silent.patch 2026-02-03 13:16:06.000000000 +0000 +++ openssh-9.2p1/debian/patches/syslog-level-silent.patch 2026-04-04 23:33:20.000000000 +0000 @@ -1,4 +1,4 @@ -From 3cd29305c77bb26eb4ec6b34078317eee6f9bf15 Mon Sep 17 00:00:00 2001 +From 317bf7c3eb826466d8cf09489cf3b87e5d4196b1 Mon Sep 17 00:00:00 2001 From: Natalie Amery Date: Sun, 9 Feb 2014 16:09:54 +0000 Subject: "LogLevel SILENT" compatibility diff -Nru openssh-9.2p1/debian/patches/systemd-readiness.patch openssh-9.2p1/debian/patches/systemd-readiness.patch --- openssh-9.2p1/debian/patches/systemd-readiness.patch 2026-02-03 13:16:06.000000000 +0000 +++ openssh-9.2p1/debian/patches/systemd-readiness.patch 2026-04-04 23:33:20.000000000 +0000 @@ -1,4 +1,4 @@ -From b12e301f5d94cdbc28598ba38709f44fe433b4bb Mon Sep 17 00:00:00 2001 +From 16928bde79a31eb7f46c6206471a811a2e67a30f Mon Sep 17 00:00:00 2001 From: Michael Biebl Date: Mon, 21 Dec 2015 16:08:47 +0000 Subject: Add systemd readiness notification support diff -Nru openssh-9.2p1/debian/patches/systemd-socket-activation.patch openssh-9.2p1/debian/patches/systemd-socket-activation.patch --- openssh-9.2p1/debian/patches/systemd-socket-activation.patch 2026-02-03 13:16:06.000000000 +0000 +++ openssh-9.2p1/debian/patches/systemd-socket-activation.patch 2026-04-04 23:33:20.000000000 +0000 @@ -1,4 +1,4 @@ -From 8b86adf81bb0f382117bc693efeab25378ff6187 Mon Sep 17 00:00:00 2001 +From 93f10fb98f8257b451bda07a3a98cc7314a85a46 Mon Sep 17 00:00:00 2001 From: Steve Langasek Date: Thu, 1 Sep 2022 16:03:37 +0100 Subject: Support systemd socket activation diff -Nru openssh-9.2p1/debian/patches/user-group-modes.patch openssh-9.2p1/debian/patches/user-group-modes.patch --- openssh-9.2p1/debian/patches/user-group-modes.patch 2026-02-03 13:16:06.000000000 +0000 +++ openssh-9.2p1/debian/patches/user-group-modes.patch 2026-04-04 23:33:20.000000000 +0000 @@ -1,4 +1,4 @@ -From 603e2674118ba4136b73561941086a24a21ac7e8 Mon Sep 17 00:00:00 2001 +From 22367a34547dd7e93392f05bea6c79e97b5ddc58 Mon Sep 17 00:00:00 2001 From: Colin Watson Date: Sun, 9 Feb 2014 16:09:58 +0000 Subject: Allow harmless group-writability