Version in base suite: 10.0p1-7+deb13u1 Base version: openssh_10.0p1-7+deb13u1 Target version: openssh_10.0p1-7+deb13u2 Base file: /srv/ftp-master.debian.org/ftp/pool/main/o/openssh/openssh_10.0p1-7+deb13u1.dsc Target file: /srv/ftp-master.debian.org/policy/pool/main/o/openssh/openssh_10.0p1-7+deb13u2.dsc .git-dpm | 4 +- changelog | 8 ++++ patches/CVE-2025-61984-tests.patch | 2 - patches/CVE-2025-61984.patch | 2 - patches/CVE-2025-61985.patch | 2 - patches/authorized-keys-man-symlink.patch | 2 - patches/configure-cache-vars.patch | 2 - patches/debian-banner.patch | 2 - patches/debian-config.patch | 2 - patches/dnssec-sshfp.patch | 2 - patches/doc-hash-tab-completion.patch | 2 - patches/fix-max-startups-tracking.patch | 2 - patches/gnome-ssh-askpass2-icon.patch | 2 - patches/gssapi.patch | 51 +++++++++++++------------- patches/keepalive-extensions.patch | 2 - patches/mention-ssh-keygen-on-keychange.patch | 2 - patches/no-openssl-version-status.patch | 2 - patches/openbsd-docs.patch | 2 - patches/package-versioning.patch | 2 - patches/pam-avoid-unknown-host.patch | 2 - patches/regress-conch-dev-zero.patch | 2 - patches/restore-authorized_keys2.patch | 2 - patches/restore-tcp-wrappers.patch | 2 - patches/revert-ipqos-defaults.patch | 2 - patches/scp-quoting.patch | 2 - patches/selinux-role.patch | 2 - patches/shell-path.patch | 2 - patches/skip-utimensat-test-on-zfs.patch | 2 - patches/ssh-agent-setgid.patch | 2 - patches/ssh-argv0.patch | 2 - patches/ssh-vulnkey-compat.patch | 2 - patches/syslog-level-silent.patch | 2 - patches/systemd-socket-activation.patch | 2 - patches/user-group-modes.patch | 2 - 34 files changed, 67 insertions(+), 58 deletions(-) dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmpmwdp9xtd/openssh_10.0p1-7+deb13u1.dsc: no acceptable signature found dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmpmwdp9xtd/openssh_10.0p1-7+deb13u2.dsc: no acceptable signature found diff -Nru openssh-10.0p1/debian/.git-dpm openssh-10.0p1/debian/.git-dpm --- openssh-10.0p1/debian/.git-dpm 2026-02-03 13:15:29.000000000 +0000 +++ openssh-10.0p1/debian/.git-dpm 2026-04-04 23:27:07.000000000 +0000 @@ -1,6 +1,6 @@ # see git-dpm(1) from git-dpm package -f9aa1828af2d4cb16246a9f98efb5239c094d8b3 -f9aa1828af2d4cb16246a9f98efb5239c094d8b3 +947d15f4b44cf7d4ce337c82ed7e1a167a4f4dc2 +947d15f4b44cf7d4ce337c82ed7e1a167a4f4dc2 860fa104f07024318a40065f07708daa5753f55d 860fa104f07024318a40065f07708daa5753f55d openssh_10.0p1.orig.tar.gz diff -Nru openssh-10.0p1/debian/changelog openssh-10.0p1/debian/changelog --- openssh-10.0p1/debian/changelog 2026-02-03 13:15:29.000000000 +0000 +++ openssh-10.0p1/debian/changelog 2026-04-04 23:29:20.000000000 +0000 @@ -1,3 +1,11 @@ +openssh (1:10.0p1-7+deb13u2) trixie-security; urgency=medium + + * CVE-2026-3497: Fix incorrect GSS-API error handling; Replace incorrect + use of sshpkt_disconnect() with ssh_packet_disconnect(), and properly + initialize some variables (closes: #1130595; thanks, Marc Deslauriers). + + -- Colin Watson Sun, 05 Apr 2026 00:29:20 +0100 + openssh (1:10.0p1-7+deb13u1) trixie; urgency=medium * CVE-2025-61984: ssh(1): disallow control characters in usernames passed diff -Nru openssh-10.0p1/debian/patches/CVE-2025-61984-tests.patch openssh-10.0p1/debian/patches/CVE-2025-61984-tests.patch --- openssh-10.0p1/debian/patches/CVE-2025-61984-tests.patch 2026-02-03 13:15:29.000000000 +0000 +++ openssh-10.0p1/debian/patches/CVE-2025-61984-tests.patch 2026-04-04 23:27:07.000000000 +0000 @@ -1,4 +1,4 @@ -From 68dfc2656e933f1571999e340da8db1137a27a78 Mon Sep 17 00:00:00 2001 +From 4a8b438b5a7cd0534dbfa11e953935ae24debbc6 Mon Sep 17 00:00:00 2001 From: "djm@openbsd.org" Date: Thu, 4 Sep 2025 03:04:44 +0000 Subject: upstream: repair test after changes to percent expansion of usernames diff -Nru openssh-10.0p1/debian/patches/CVE-2025-61984.patch openssh-10.0p1/debian/patches/CVE-2025-61984.patch --- openssh-10.0p1/debian/patches/CVE-2025-61984.patch 2026-02-03 13:15:29.000000000 +0000 +++ openssh-10.0p1/debian/patches/CVE-2025-61984.patch 2026-04-04 23:27:07.000000000 +0000 @@ -1,4 +1,4 @@ -From 7e076cb419a27153e81243b339ce2efbc3c1f6f3 Mon Sep 17 00:00:00 2001 +From 82a6200c6affd9a90b3fe8e2fdea93b839319aea Mon Sep 17 00:00:00 2001 From: "djm@openbsd.org" Date: Thu, 4 Sep 2025 00:29:09 +0000 Subject: upstream: Improve rules for %-expansion of username. diff -Nru openssh-10.0p1/debian/patches/CVE-2025-61985.patch openssh-10.0p1/debian/patches/CVE-2025-61985.patch --- openssh-10.0p1/debian/patches/CVE-2025-61985.patch 2026-02-03 13:15:29.000000000 +0000 +++ openssh-10.0p1/debian/patches/CVE-2025-61985.patch 2026-04-04 23:27:07.000000000 +0000 @@ -1,4 +1,4 @@ -From 0bd8630712ee27da7aebfec79c96239657ae9369 Mon Sep 17 00:00:00 2001 +From 51b9b26c9f76b2594ca93ce1ac49aa10931d098a Mon Sep 17 00:00:00 2001 From: "djm@openbsd.org" Date: Thu, 4 Sep 2025 00:30:06 +0000 Subject: upstream: don't allow \0 characters in url-encoded strings. diff -Nru openssh-10.0p1/debian/patches/authorized-keys-man-symlink.patch openssh-10.0p1/debian/patches/authorized-keys-man-symlink.patch --- openssh-10.0p1/debian/patches/authorized-keys-man-symlink.patch 2026-02-03 13:15:29.000000000 +0000 +++ openssh-10.0p1/debian/patches/authorized-keys-man-symlink.patch 2026-04-04 23:27:07.000000000 +0000 @@ -1,4 +1,4 @@ -From d8aca11c6d61adb619a8aea6f2f3a7a3365babda Mon Sep 17 00:00:00 2001 +From 7deef22ee3383b6e33de3201a2b060fc4dc43807 Mon Sep 17 00:00:00 2001 From: Tomas Pospisek Date: Sun, 9 Feb 2014 16:10:07 +0000 Subject: Install authorized_keys(5) as a symlink to sshd(8) diff -Nru openssh-10.0p1/debian/patches/configure-cache-vars.patch openssh-10.0p1/debian/patches/configure-cache-vars.patch --- openssh-10.0p1/debian/patches/configure-cache-vars.patch 2026-02-03 13:15:29.000000000 +0000 +++ openssh-10.0p1/debian/patches/configure-cache-vars.patch 2026-04-04 23:27:07.000000000 +0000 @@ -1,4 +1,4 @@ -From 009c6b987ef180ee0ef58b5c06dfdbf0097e18a9 Mon Sep 17 00:00:00 2001 +From 632c556fc44085e0cf62c92fbea312bc2ff01700 Mon Sep 17 00:00:00 2001 From: Colin Watson Date: Wed, 3 Apr 2024 11:52:04 +0100 Subject: Add Autoconf cache variables for OSSH_CHECK_*FLAG_* diff -Nru openssh-10.0p1/debian/patches/debian-banner.patch openssh-10.0p1/debian/patches/debian-banner.patch --- openssh-10.0p1/debian/patches/debian-banner.patch 2026-02-03 13:15:29.000000000 +0000 +++ openssh-10.0p1/debian/patches/debian-banner.patch 2026-04-04 23:27:07.000000000 +0000 @@ -1,4 +1,4 @@ -From 8f693762755211b20d50f7e0b963bd1c3955c4b7 Mon Sep 17 00:00:00 2001 +From d6fd5dcdde06aa1a4cab5b1f7a567db52bb2b167 Mon Sep 17 00:00:00 2001 From: Kees Cook Date: Sun, 9 Feb 2014 16:10:06 +0000 Subject: Add DebianBanner server configuration option diff -Nru openssh-10.0p1/debian/patches/debian-config.patch openssh-10.0p1/debian/patches/debian-config.patch --- openssh-10.0p1/debian/patches/debian-config.patch 2026-02-03 13:15:29.000000000 +0000 +++ openssh-10.0p1/debian/patches/debian-config.patch 2026-04-04 23:27:07.000000000 +0000 @@ -1,4 +1,4 @@ -From 5fbe366def6557d221b9d955b7ab9bfbe88fd2b3 Mon Sep 17 00:00:00 2001 +From 338f3682c8f7d00f59f9f372b1277b974b2b0b1a Mon Sep 17 00:00:00 2001 From: Colin Watson Date: Sun, 9 Feb 2014 16:10:18 +0000 Subject: Various Debian-specific configuration changes diff -Nru openssh-10.0p1/debian/patches/dnssec-sshfp.patch openssh-10.0p1/debian/patches/dnssec-sshfp.patch --- openssh-10.0p1/debian/patches/dnssec-sshfp.patch 2026-02-03 13:15:29.000000000 +0000 +++ openssh-10.0p1/debian/patches/dnssec-sshfp.patch 2026-04-04 23:27:07.000000000 +0000 @@ -1,4 +1,4 @@ -From 4b42694c1823a9eb69a972c53cf79ce289b2c810 Mon Sep 17 00:00:00 2001 +From 5bb05b304c54f31f2d5436af66f350ed53e1a8e7 Mon Sep 17 00:00:00 2001 From: Colin Watson Date: Sun, 9 Feb 2014 16:10:01 +0000 Subject: Force use of DNSSEC even if "options edns0" isn't in resolv.conf diff -Nru openssh-10.0p1/debian/patches/doc-hash-tab-completion.patch openssh-10.0p1/debian/patches/doc-hash-tab-completion.patch --- openssh-10.0p1/debian/patches/doc-hash-tab-completion.patch 2026-02-03 13:15:29.000000000 +0000 +++ openssh-10.0p1/debian/patches/doc-hash-tab-completion.patch 2026-04-04 23:27:07.000000000 +0000 @@ -1,4 +1,4 @@ -From c3c79bbb6ba940f4587dddaf8e85b8f36e4a895e Mon Sep 17 00:00:00 2001 +From e543205e05bf22f8fc597501b2193ed96ec7baf4 Mon Sep 17 00:00:00 2001 From: Colin Watson Date: Sun, 9 Feb 2014 16:10:11 +0000 Subject: Document that HashKnownHosts may break tab-completion diff -Nru openssh-10.0p1/debian/patches/fix-max-startups-tracking.patch openssh-10.0p1/debian/patches/fix-max-startups-tracking.patch --- openssh-10.0p1/debian/patches/fix-max-startups-tracking.patch 2026-02-03 13:15:29.000000000 +0000 +++ openssh-10.0p1/debian/patches/fix-max-startups-tracking.patch 2026-04-04 23:27:07.000000000 +0000 @@ -1,4 +1,4 @@ -From f9aa1828af2d4cb16246a9f98efb5239c094d8b3 Mon Sep 17 00:00:00 2001 +From 947d15f4b44cf7d4ce337c82ed7e1a167a4f4dc2 Mon Sep 17 00:00:00 2001 From: "djm@openbsd.org" Date: Fri, 4 Jul 2025 09:51:01 +0000 Subject: upstream: Fix mistracking of MaxStartups process exits in some diff -Nru openssh-10.0p1/debian/patches/gnome-ssh-askpass2-icon.patch openssh-10.0p1/debian/patches/gnome-ssh-askpass2-icon.patch --- openssh-10.0p1/debian/patches/gnome-ssh-askpass2-icon.patch 2026-02-03 13:15:29.000000000 +0000 +++ openssh-10.0p1/debian/patches/gnome-ssh-askpass2-icon.patch 2026-04-04 23:27:07.000000000 +0000 @@ -1,4 +1,4 @@ -From 53cb8cc4c931b81db8a924be43e09ad6edca9808 Mon Sep 17 00:00:00 2001 +From 529e4a8b6b7e75739191391aa3f8242b5f1cf476 Mon Sep 17 00:00:00 2001 From: Vincent Untz Date: Sun, 9 Feb 2014 16:10:16 +0000 Subject: Give the ssh-askpass-gnome window a default icon diff -Nru openssh-10.0p1/debian/patches/gssapi.patch openssh-10.0p1/debian/patches/gssapi.patch --- openssh-10.0p1/debian/patches/gssapi.patch 2026-02-03 13:15:29.000000000 +0000 +++ openssh-10.0p1/debian/patches/gssapi.patch 2026-04-04 23:27:07.000000000 +0000 @@ -1,4 +1,4 @@ -From 27126756ed15744cdf4d0cff1ee8dcfe567f7c8b Mon Sep 17 00:00:00 2001 +From 5d49824da13bf2bca6140d96b69b222fc90ddd2b Mon Sep 17 00:00:00 2001 From: Simon Wilkinson Date: Sun, 9 Feb 2014 16:09:48 +0000 Subject: GSSAPI key exchange support @@ -21,7 +21,7 @@ Author: Jakub Jelen Origin: other, https://github.com/openssh-gsskex/openssh-gsskex/pull/23 Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1242 -Last-Updated: 2025-04-11 +Last-Updated: 2026-03-27 Patch-Name: gssapi.patch --- @@ -42,7 +42,7 @@ kexdh.c | 10 + kexgen.c | 2 +- kexgssc.c | 602 ++++++++++++++++++++++++++++++++++++++++++++++++ - kexgsss.c | 478 ++++++++++++++++++++++++++++++++++++++ + kexgsss.c | 479 ++++++++++++++++++++++++++++++++++++++ monitor.c | 139 ++++++++++- monitor.h | 2 + monitor_wrap.c | 57 ++++- @@ -66,7 +66,7 @@ sshd_config.5 | 30 +++ sshkey.c | 8 +- sshkey.h | 1 + - 41 files changed, 2671 insertions(+), 74 deletions(-) + 41 files changed, 2672 insertions(+), 74 deletions(-) create mode 100644 kexgssc.c create mode 100644 kexgsss.c create mode 100644 ssh-null.c @@ -1422,7 +1422,7 @@ const struct sshbuf *client_version, diff --git a/kexgssc.c b/kexgssc.c new file mode 100644 -index 000000000..2da431428 +index 000000000..1bcf7cae9 --- /dev/null +++ b/kexgssc.c @@ -0,0 +1,602 @@ @@ -1480,8 +1480,8 @@ +{ + struct kex *kex = ssh->kex; + gss_buffer_desc send_tok = GSS_C_EMPTY_BUFFER, -+ recv_tok = GSS_C_EMPTY_BUFFER, -+ gssbuf, msg_tok = GSS_C_EMPTY_BUFFER, *token_ptr; ++ recv_tok = GSS_C_EMPTY_BUFFER, gssbuf = GSS_C_EMPTY_BUFFER, ++ msg_tok = GSS_C_EMPTY_BUFFER, *token_ptr; + Gssctxt *ctxt; + OM_uint32 maj_status, min_status, ret_flags; + struct sshbuf *server_blob = NULL; @@ -1626,11 +1626,11 @@ + fatal("Failed to read token: %s", ssh_err(r)); + /* If we're already complete - protocol error */ + if (maj_status == GSS_S_COMPLETE) -+ sshpkt_disconnect(ssh, "Protocol error: received token when complete"); ++ ssh_packet_disconnect(ssh, "Protocol error: received token when complete"); + } else { + /* No token included */ + if (maj_status != GSS_S_COMPLETE) -+ sshpkt_disconnect(ssh, "Protocol error: did not receive final token"); ++ ssh_packet_disconnect(ssh, "Protocol error: did not receive final token"); + } + if ((r = sshpkt_get_end(ssh)) != 0) { + fatal("Expecting end of packet."); @@ -1646,7 +1646,7 @@ + fatal("sshpkt_get failed: %s", ssh_err(r)); + fatal("GSSAPI Error: \n%.400s", msg); + default: -+ sshpkt_disconnect(ssh, "Protocol error: didn't expect packet type %d", ++ ssh_packet_disconnect(ssh, "Protocol error: didn't expect packet type %d", + type); + } + token_ptr = &recv_tok; @@ -1719,7 +1719,7 @@ + + /* Verify that the hash matches the MIC we just got. */ + if (GSS_ERROR(ssh_gssapi_checkmic(ctxt, &gssbuf, &msg_tok))) -+ sshpkt_disconnect(ssh, "Hash's MIC didn't verify"); ++ ssh_packet_disconnect(ssh, "Hash's MIC didn't verify"); + + gss_release_buffer(&min_status, &msg_tok); + @@ -1751,8 +1751,8 @@ +{ + struct kex *kex = ssh->kex; + gss_buffer_desc send_tok = GSS_C_EMPTY_BUFFER, -+ recv_tok = GSS_C_EMPTY_BUFFER, gssbuf, -+ msg_tok = GSS_C_EMPTY_BUFFER, *token_ptr; ++ recv_tok = GSS_C_EMPTY_BUFFER, gssbuf = GSS_C_EMPTY_BUFFER, ++ msg_tok = GSS_C_EMPTY_BUFFER, *token_ptr; + Gssctxt *ctxt; + OM_uint32 maj_status, min_status, ret_flags; + struct sshbuf *shared_secret = NULL; @@ -1921,11 +1921,11 @@ + fatal("sshpkt failed: %s", ssh_err(r)); + /* If we're already complete - protocol error */ + if (maj_status == GSS_S_COMPLETE) -+ sshpkt_disconnect(ssh, "Protocol error: received token when complete"); ++ ssh_packet_disconnect(ssh, "Protocol error: received token when complete"); + } else { + /* No token included */ + if (maj_status != GSS_S_COMPLETE) -+ sshpkt_disconnect(ssh, "Protocol error: did not receive final token"); ++ ssh_packet_disconnect(ssh, "Protocol error: did not receive final token"); + } + break; + case SSH2_MSG_KEXGSS_ERROR: @@ -1938,7 +1938,7 @@ + fatal("sshpkt failed: %s", ssh_err(r)); + fatal("GSSAPI Error: \n%.400s", msg); + default: -+ sshpkt_disconnect(ssh, "Protocol error: didn't expect packet type %d", ++ ssh_packet_disconnect(ssh, "Protocol error: didn't expect packet type %d", + type); + } + token_ptr = &recv_tok; @@ -2000,7 +2000,7 @@ + + /* Verify that the hash matches the MIC we just got. */ + if (GSS_ERROR(ssh_gssapi_checkmic(ctxt, &gssbuf, &msg_tok))) -+ sshpkt_disconnect(ssh, "Hash's MIC didn't verify"); ++ ssh_packet_disconnect(ssh, "Hash's MIC didn't verify"); + + gss_release_buffer(&min_status, &msg_tok); + @@ -2030,10 +2030,10 @@ +#endif /* defined(GSSAPI) && defined(WITH_OPENSSL) */ diff --git a/kexgsss.c b/kexgsss.c new file mode 100644 -index 000000000..1fd1d1e48 +index 000000000..b3d6d9d87 --- /dev/null +++ b/kexgsss.c -@@ -0,0 +1,478 @@ +@@ -0,0 +1,479 @@ +/* + * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved. + * @@ -2100,7 +2100,8 @@ + */ + + OM_uint32 ret_flags = 0; -+ gss_buffer_desc gssbuf, recv_tok, msg_tok; ++ gss_buffer_desc gssbuf = GSS_C_EMPTY_BUFFER, ++ recv_tok = GSS_C_EMPTY_BUFFER, msg_tok = GSS_C_EMPTY_BUFFER; + gss_buffer_desc send_tok = GSS_C_EMPTY_BUFFER; + Gssctxt *ctxt = NULL; + struct sshbuf *shared_secret = NULL; @@ -2179,7 +2180,7 @@ + fatal("sshpkt failed: %s", ssh_err(r)); + break; + default: -+ sshpkt_disconnect(ssh, ++ ssh_packet_disconnect(ssh, + "Protocol error: didn't expect packet type %d", + type); + } @@ -2295,7 +2296,8 @@ + */ + + OM_uint32 ret_flags = 0; -+ gss_buffer_desc gssbuf, recv_tok, msg_tok; ++ gss_buffer_desc gssbuf = GSS_C_EMPTY_BUFFER, ++ recv_tok = GSS_C_EMPTY_BUFFER, msg_tok = GSS_C_EMPTY_BUFFER; + gss_buffer_desc send_tok = GSS_C_EMPTY_BUFFER; + Gssctxt *ctxt = NULL; + struct sshbuf *shared_secret = NULL; @@ -2356,8 +2358,7 @@ + min, nbits, max); + kex->dh = mm_choose_dh(min, nbits, max); + if (kex->dh == NULL) { -+ sshpkt_disconnect(ssh, "Protocol error: no matching group found"); -+ fatal("Protocol error: no matching group found"); ++ ssh_packet_disconnect(ssh, "Protocol error: no matching group found"); + } + + DH_get0_pqg(kex->dh, &dh_p, NULL, &dh_g); @@ -2396,7 +2397,7 @@ + fatal("sshpkt failed: %s", ssh_err(r)); + break; + default: -+ sshpkt_disconnect(ssh, ++ ssh_packet_disconnect(ssh, + "Protocol error: didn't expect packet type %d", + type); + } diff -Nru openssh-10.0p1/debian/patches/keepalive-extensions.patch openssh-10.0p1/debian/patches/keepalive-extensions.patch --- openssh-10.0p1/debian/patches/keepalive-extensions.patch 2026-02-03 13:15:29.000000000 +0000 +++ openssh-10.0p1/debian/patches/keepalive-extensions.patch 2026-04-04 23:27:07.000000000 +0000 @@ -1,4 +1,4 @@ -From d3fc1f4d6bf0c2a857af1d5f90e7a0b061cdb490 Mon Sep 17 00:00:00 2001 +From 38ff54854c66202fb6aa027297388d16a30a410c Mon Sep 17 00:00:00 2001 From: Richard Kettlewell Date: Sun, 9 Feb 2014 16:09:52 +0000 Subject: Various keepalive extensions diff -Nru openssh-10.0p1/debian/patches/mention-ssh-keygen-on-keychange.patch openssh-10.0p1/debian/patches/mention-ssh-keygen-on-keychange.patch --- openssh-10.0p1/debian/patches/mention-ssh-keygen-on-keychange.patch 2026-02-03 13:15:29.000000000 +0000 +++ openssh-10.0p1/debian/patches/mention-ssh-keygen-on-keychange.patch 2026-04-04 23:27:07.000000000 +0000 @@ -1,4 +1,4 @@ -From 4bf6a2acf9290928d4393c3d3f219074c9c7eb3c Mon Sep 17 00:00:00 2001 +From 7d939cbba308f7fd89681e80a2fdf3a0fdbd1615 Mon Sep 17 00:00:00 2001 From: Scott Moser Date: Sun, 9 Feb 2014 16:10:03 +0000 Subject: Mention ssh-keygen in ssh fingerprint changed warning diff -Nru openssh-10.0p1/debian/patches/no-openssl-version-status.patch openssh-10.0p1/debian/patches/no-openssl-version-status.patch --- openssh-10.0p1/debian/patches/no-openssl-version-status.patch 2026-02-03 13:15:29.000000000 +0000 +++ openssh-10.0p1/debian/patches/no-openssl-version-status.patch 2026-04-04 23:27:07.000000000 +0000 @@ -1,4 +1,4 @@ -From bcb6fbcb58e6256516d5a63e6c27c3dd880373c3 Mon Sep 17 00:00:00 2001 +From 3aea5667e9443404363720a955990f9f4f50e0e5 Mon Sep 17 00:00:00 2001 From: Kurt Roeckx Date: Sun, 9 Feb 2014 16:10:14 +0000 Subject: Don't check the status field of the OpenSSL version diff -Nru openssh-10.0p1/debian/patches/openbsd-docs.patch openssh-10.0p1/debian/patches/openbsd-docs.patch --- openssh-10.0p1/debian/patches/openbsd-docs.patch 2026-02-03 13:15:29.000000000 +0000 +++ openssh-10.0p1/debian/patches/openbsd-docs.patch 2026-04-04 23:27:07.000000000 +0000 @@ -1,4 +1,4 @@ -From f44687fdc6dcf48a38f32693d7e28034d4961d0d Mon Sep 17 00:00:00 2001 +From cc76bfc84adb27c0c4faf996408a698caba0f07f Mon Sep 17 00:00:00 2001 From: Colin Watson Date: Sun, 9 Feb 2014 16:10:09 +0000 Subject: Adjust various OpenBSD-specific references in manual pages diff -Nru openssh-10.0p1/debian/patches/package-versioning.patch openssh-10.0p1/debian/patches/package-versioning.patch --- openssh-10.0p1/debian/patches/package-versioning.patch 2026-02-03 13:15:29.000000000 +0000 +++ openssh-10.0p1/debian/patches/package-versioning.patch 2026-04-04 23:27:07.000000000 +0000 @@ -1,4 +1,4 @@ -From fc17470467826ef2bf50c930a45f6db43c2b5ba3 Mon Sep 17 00:00:00 2001 +From 7cd59302d8fa7eeb3de5fdbefc09a023d0e656d6 Mon Sep 17 00:00:00 2001 From: Matthew Vernon Date: Sun, 9 Feb 2014 16:10:05 +0000 Subject: Include the Debian version in our identification diff -Nru openssh-10.0p1/debian/patches/pam-avoid-unknown-host.patch openssh-10.0p1/debian/patches/pam-avoid-unknown-host.patch --- openssh-10.0p1/debian/patches/pam-avoid-unknown-host.patch 2026-02-03 13:15:29.000000000 +0000 +++ openssh-10.0p1/debian/patches/pam-avoid-unknown-host.patch 2026-04-04 23:27:07.000000000 +0000 @@ -1,4 +1,4 @@ -From f5c89caec93130da905a95602cf36a4e25f2303e Mon Sep 17 00:00:00 2001 +From ccbb3efb1598cde11bb76d6045cd73c8f1773fd0 Mon Sep 17 00:00:00 2001 From: Daan De Meyer Date: Mon, 20 Mar 2023 20:22:14 +0100 Subject: Only set PAM_RHOST if the remote host is not "UNKNOWN" diff -Nru openssh-10.0p1/debian/patches/regress-conch-dev-zero.patch openssh-10.0p1/debian/patches/regress-conch-dev-zero.patch --- openssh-10.0p1/debian/patches/regress-conch-dev-zero.patch 2026-02-03 13:15:29.000000000 +0000 +++ openssh-10.0p1/debian/patches/regress-conch-dev-zero.patch 2026-04-04 23:27:07.000000000 +0000 @@ -1,4 +1,4 @@ -From 93b2730229d7385fe79d2136c5269e5a7fd49795 Mon Sep 17 00:00:00 2001 +From 9db329d6764879915981e5ace3acd02534922b1d Mon Sep 17 00:00:00 2001 From: Colin Watson Date: Sun, 31 Mar 2024 00:24:11 +0000 Subject: regress: Redirect conch stdin from /dev/zero diff -Nru openssh-10.0p1/debian/patches/restore-authorized_keys2.patch openssh-10.0p1/debian/patches/restore-authorized_keys2.patch --- openssh-10.0p1/debian/patches/restore-authorized_keys2.patch 2026-02-03 13:15:29.000000000 +0000 +++ openssh-10.0p1/debian/patches/restore-authorized_keys2.patch 2026-04-04 23:27:07.000000000 +0000 @@ -1,4 +1,4 @@ -From 379b97fb24160f38bcd5f3be5737eac848a04af9 Mon Sep 17 00:00:00 2001 +From 3b1b1445b4963871731f94d473ad039585f7c134 Mon Sep 17 00:00:00 2001 From: Colin Watson Date: Sun, 5 Mar 2017 02:02:11 +0000 Subject: Restore reading authorized_keys2 by default diff -Nru openssh-10.0p1/debian/patches/restore-tcp-wrappers.patch openssh-10.0p1/debian/patches/restore-tcp-wrappers.patch --- openssh-10.0p1/debian/patches/restore-tcp-wrappers.patch 2026-02-03 13:15:29.000000000 +0000 +++ openssh-10.0p1/debian/patches/restore-tcp-wrappers.patch 2026-04-04 23:27:07.000000000 +0000 @@ -1,4 +1,4 @@ -From 5f13fe22c2a9771dbcd12e2e9a1b2f905bcad22a Mon Sep 17 00:00:00 2001 +From 840b02b43ecdeb1a062c487798a26c4b1ca41ac6 Mon Sep 17 00:00:00 2001 From: Colin Watson Date: Tue, 7 Oct 2014 13:22:41 +0100 Subject: Restore TCP wrappers support diff -Nru openssh-10.0p1/debian/patches/revert-ipqos-defaults.patch openssh-10.0p1/debian/patches/revert-ipqos-defaults.patch --- openssh-10.0p1/debian/patches/revert-ipqos-defaults.patch 2026-02-03 13:15:29.000000000 +0000 +++ openssh-10.0p1/debian/patches/revert-ipqos-defaults.patch 2026-04-04 23:27:07.000000000 +0000 @@ -1,4 +1,4 @@ -From c0165ba64a76bf4d962d6d9a500299c2696e150d Mon Sep 17 00:00:00 2001 +From 88dc4a66e9c8fd350152080713f33e26fd7df202 Mon Sep 17 00:00:00 2001 From: Colin Watson Date: Mon, 8 Apr 2019 10:46:29 +0100 Subject: Revert "upstream: Update default IPQoS in ssh(1), sshd(8) to DSCP diff -Nru openssh-10.0p1/debian/patches/scp-quoting.patch openssh-10.0p1/debian/patches/scp-quoting.patch --- openssh-10.0p1/debian/patches/scp-quoting.patch 2026-02-03 13:15:29.000000000 +0000 +++ openssh-10.0p1/debian/patches/scp-quoting.patch 2026-04-04 23:27:07.000000000 +0000 @@ -1,4 +1,4 @@ -From 999eab9bf1499834341de56a71d5457ae2938840 Mon Sep 17 00:00:00 2001 +From 65ac1c47a87548ec1f651a70e5c5f869932f22c8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nicolas=20Valc=C3=A1rcel?= Date: Sun, 9 Feb 2014 16:09:59 +0000 Subject: Adjust scp quoting in verbose mode diff -Nru openssh-10.0p1/debian/patches/selinux-role.patch openssh-10.0p1/debian/patches/selinux-role.patch --- openssh-10.0p1/debian/patches/selinux-role.patch 2026-02-03 13:15:29.000000000 +0000 +++ openssh-10.0p1/debian/patches/selinux-role.patch 2026-04-04 23:27:07.000000000 +0000 @@ -1,4 +1,4 @@ -From ad6e66e766ecc3a76c62c6daf81ebf19432713cb Mon Sep 17 00:00:00 2001 +From 07862c90f7824e24d59ea65ffcb8dbba5f84315b Mon Sep 17 00:00:00 2001 From: Manoj Srivastava Date: Sun, 9 Feb 2014 16:09:49 +0000 Subject: Handle SELinux authorisation roles diff -Nru openssh-10.0p1/debian/patches/shell-path.patch openssh-10.0p1/debian/patches/shell-path.patch --- openssh-10.0p1/debian/patches/shell-path.patch 2026-02-03 13:15:29.000000000 +0000 +++ openssh-10.0p1/debian/patches/shell-path.patch 2026-04-04 23:27:07.000000000 +0000 @@ -1,4 +1,4 @@ -From aff1a94c2716097f669efd7d59b257f50232c01e Mon Sep 17 00:00:00 2001 +From 1287ec850f54ee03ecda93da92c8bcb478d5d977 Mon Sep 17 00:00:00 2001 From: Colin Watson Date: Sun, 9 Feb 2014 16:10:00 +0000 Subject: Look for $SHELL on the path for ProxyCommand/LocalCommand diff -Nru openssh-10.0p1/debian/patches/skip-utimensat-test-on-zfs.patch openssh-10.0p1/debian/patches/skip-utimensat-test-on-zfs.patch --- openssh-10.0p1/debian/patches/skip-utimensat-test-on-zfs.patch 2026-02-03 13:15:29.000000000 +0000 +++ openssh-10.0p1/debian/patches/skip-utimensat-test-on-zfs.patch 2026-04-04 23:27:07.000000000 +0000 @@ -1,4 +1,4 @@ -From 44616edf6f926b9fec6a322c755fb1bb8c90e7fe Mon Sep 17 00:00:00 2001 +From 3d83f47df49d9b38dd014ef87089b14b42060250 Mon Sep 17 00:00:00 2001 From: Colin Watson Date: Mon, 11 Mar 2024 16:24:49 +0000 Subject: Skip utimensat test on ZFS diff -Nru openssh-10.0p1/debian/patches/ssh-agent-setgid.patch openssh-10.0p1/debian/patches/ssh-agent-setgid.patch --- openssh-10.0p1/debian/patches/ssh-agent-setgid.patch 2026-02-03 13:15:29.000000000 +0000 +++ openssh-10.0p1/debian/patches/ssh-agent-setgid.patch 2026-04-04 23:27:07.000000000 +0000 @@ -1,4 +1,4 @@ -From 8b13bba78cbebca9f74c89f6d35c716b871f9598 Mon Sep 17 00:00:00 2001 +From 386a2152594d6e53db899af4bdb2ea568e6c0065 Mon Sep 17 00:00:00 2001 From: Colin Watson Date: Sun, 9 Feb 2014 16:10:13 +0000 Subject: Document consequences of ssh-agent being setgid in ssh-agent(1) diff -Nru openssh-10.0p1/debian/patches/ssh-argv0.patch openssh-10.0p1/debian/patches/ssh-argv0.patch --- openssh-10.0p1/debian/patches/ssh-argv0.patch 2026-02-03 13:15:29.000000000 +0000 +++ openssh-10.0p1/debian/patches/ssh-argv0.patch 2026-04-04 23:27:07.000000000 +0000 @@ -1,4 +1,4 @@ -From fbda96f6f98870a8445019875f8783243e53ed01 Mon Sep 17 00:00:00 2001 +From 415dea4eae964c38608df1c06e4ad3a6a5f746e0 Mon Sep 17 00:00:00 2001 From: Colin Watson Date: Sun, 9 Feb 2014 16:10:10 +0000 Subject: ssh(1): Refer to ssh-argv0(1) diff -Nru openssh-10.0p1/debian/patches/ssh-vulnkey-compat.patch openssh-10.0p1/debian/patches/ssh-vulnkey-compat.patch --- openssh-10.0p1/debian/patches/ssh-vulnkey-compat.patch 2026-02-03 13:15:29.000000000 +0000 +++ openssh-10.0p1/debian/patches/ssh-vulnkey-compat.patch 2026-04-04 23:27:07.000000000 +0000 @@ -1,4 +1,4 @@ -From d0cbcbf53d5f0d4457b47a09af06aac1f483e712 Mon Sep 17 00:00:00 2001 +From 3e3094331c64231cc7b4f92d01e72550730c5b78 Mon Sep 17 00:00:00 2001 From: Colin Watson Date: Sun, 9 Feb 2014 16:09:50 +0000 Subject: Accept obsolete ssh-vulnkey configuration options diff -Nru openssh-10.0p1/debian/patches/syslog-level-silent.patch openssh-10.0p1/debian/patches/syslog-level-silent.patch --- openssh-10.0p1/debian/patches/syslog-level-silent.patch 2026-02-03 13:15:29.000000000 +0000 +++ openssh-10.0p1/debian/patches/syslog-level-silent.patch 2026-04-04 23:27:07.000000000 +0000 @@ -1,4 +1,4 @@ -From 098e60e62af180a1e2e2a7b0587da696cc34b92b Mon Sep 17 00:00:00 2001 +From 1b733e33ad1ea028d9840eef53da64b7316461cf Mon Sep 17 00:00:00 2001 From: Natalie Amery Date: Sun, 9 Feb 2014 16:09:54 +0000 Subject: "LogLevel SILENT" compatibility diff -Nru openssh-10.0p1/debian/patches/systemd-socket-activation.patch openssh-10.0p1/debian/patches/systemd-socket-activation.patch --- openssh-10.0p1/debian/patches/systemd-socket-activation.patch 2026-02-03 13:15:29.000000000 +0000 +++ openssh-10.0p1/debian/patches/systemd-socket-activation.patch 2026-04-04 23:27:07.000000000 +0000 @@ -1,4 +1,4 @@ -From aa7d7ffcefa83f6a524da54a10cd9026b6012695 Mon Sep 17 00:00:00 2001 +From 7f825ab75842dd91ad2ac00acabc5ea0350c6794 Mon Sep 17 00:00:00 2001 From: Steve Langasek Date: Thu, 1 Sep 2022 16:03:37 +0100 Subject: Support systemd socket activation diff -Nru openssh-10.0p1/debian/patches/user-group-modes.patch openssh-10.0p1/debian/patches/user-group-modes.patch --- openssh-10.0p1/debian/patches/user-group-modes.patch 2026-02-03 13:15:29.000000000 +0000 +++ openssh-10.0p1/debian/patches/user-group-modes.patch 2026-04-04 23:27:07.000000000 +0000 @@ -1,4 +1,4 @@ -From 69d17a6efb4ca9c28fdc700154affb67d696a4ee Mon Sep 17 00:00:00 2001 +From 563f24fe1c7dda0189679de9a4e55cd5d9d08c34 Mon Sep 17 00:00:00 2001 From: Colin Watson Date: Sun, 9 Feb 2014 16:09:58 +0000 Subject: Allow harmless group-writability