[Git][security-tracker-team/security-tracker][master] Reserve DLA-4584-1 for openssh

Santiago R.R. (@santiago) santiago at debian.org
Fri May 15 16:23:26 BST 2026 


Santiago R.R. pushed to branch master at Debian Security Tracker / security-tracker


Commits:
99f46f41 by Santiago Ruano Rincón at 2026-05-15T12:23:12-03:00
Reserve DLA-4584-1 for openssh

- - - - -


3 changed files:

- data/CVE/list
- data/DLA/list
- data/dla-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -26057,31 +26057,26 @@ CVE-2026-35414 (OpenSSH before 10.3 mishandles the authorized_keys principals op
 	- openssh 1:10.3p1-1 (bug #1132576)
 	[trixie] - openssh <no-dsa> (Minor issue)
 	[bookworm] - openssh <no-dsa> (Minor issue)
-	[bullseye] - openssh <no-dsa> (Minor issue)
 	NOTE: https://www.openssh.org/releasenotes.html#10.3p1
 CVE-2026-35388 (OpenSSH before 10.3 omits connection multiplexing confirmation for pro ...)
 	- openssh 1:10.3p1-1 (bug #1132575)
 	[trixie] - openssh <no-dsa> (Minor issue)
 	[bookworm] - openssh <no-dsa> (Minor issue)
-	[bullseye] - openssh <no-dsa> (Minor issue)
 	NOTE: https://www.openssh.org/releasenotes.html#10.3p1
 CVE-2026-35387 (OpenSSH before 10.3 can use unintended ECDSA algorithms. Listing of an ...)
 	- openssh 1:10.3p1-1 (bug #1132574)
 	[trixie] - openssh <no-dsa> (Minor issue)
 	[bookworm] - openssh <no-dsa> (Minor issue)
-	[bullseye] - openssh <no-dsa> (Minor issue)
 	NOTE: https://www.openssh.org/releasenotes.html#10.3p1
 CVE-2026-35386 (In OpenSSH before 10.3, command execution can occur via shell metachar ...)
 	- openssh 1:10.3p1-1 (bug #1132573)
 	[trixie] - openssh <no-dsa> (Minor issue)
 	[bookworm] - openssh <no-dsa> (Minor issue)
-	[bullseye] - openssh <no-dsa> (Minor issue)
 	NOTE: https://www.openssh.org/releasenotes.html#10.3p1
 CVE-2026-35385 (In OpenSSH before 10.3, a file downloaded by scp may be installed setu ...)
 	- openssh 1:10.3p1-1 (bug #1132572)
 	[trixie] - openssh <no-dsa> (Minor issue)
 	[bookworm] - openssh <no-dsa> (Minor issue)
-	[bullseye] - openssh <no-dsa> (Minor issue)
 	NOTE: https://www.openssh.org/releasenotes.html#10.3p1
 CVE-2026-35168 (OpenSTAManager is an open source management software for technical ass ...)
 	NOT-FOR-US: OpenSTAManager
@@ -99498,14 +99493,12 @@ CVE-2025-61985 (ssh in OpenSSH before 10.1 allows the '\0' character in an ssh:/
 	- openssh 1:10.1p1-1 (bug #1117530)
 	[trixie] - openssh 1:10.0p1-7+deb13u1
 	[bookworm] - openssh 1:9.2p1-2+deb12u8
-	[bullseye] - openssh <postponed> (Minor issue; can be fixed in next update)
 	NOTE: https://www.openwall.com/lists/oss-security/2025/10/06/1
 	NOTE: https://github.com/openssh/openssh-portable/commit/43b3bff47bb029f2299bacb6a36057981b39fdb0 (V_10_1_P1)
 CVE-2025-61984 (ssh in OpenSSH before 10.1 allows control characters in usernames that ...)
 	- openssh 1:10.1p1-1 (bug #1117529)
 	[trixie] - openssh 1:10.0p1-7+deb13u1
 	[bookworm] - openssh 1:9.2p1-2+deb12u8
-	[bullseye] - openssh <postponed> (Minor issue; can be fixed in next update)
 	NOTE: https://www.openwall.com/lists/oss-security/2025/10/06/1
 	NOTE: https://dgl.cx/2025/10/bash-a-newline-ssh-proxycommand-cve-2025-61984
 	NOTE: https://github.com/openssh/openssh-portable/commit/35d5917652106aede47621bb3f64044604164043 (V_10_1_P1)


=====================================
data/DLA/list
=====================================
@@ -1,3 +1,6 @@
+[15 May 2026] DLA-4584-1 openssh - security update
+	{CVE-2025-61984 CVE-2025-61985 CVE-2026-35385 CVE-2026-35386 CVE-2026-35387 CVE-2026-35388 CVE-2026-35414}
+	[bullseye] - openssh 1:8.4p1-5+deb11u7
 [15 May 2026] DLA-4583-1 python3.9 - security update
 	{CVE-2025-13462 CVE-2026-0672 CVE-2026-2297 CVE-2026-3644 CVE-2026-4224 CVE-2026-4519}
 	[bullseye] - python3.9 3.9.2-1+deb11u7


=====================================
data/dla-needed.txt
=====================================
@@ -382,10 +382,6 @@ openexr
 openjpeg2
   NOTE: 20260418: Added by Front-Desk (rouca)
 --
-openssh (santiago)
-  NOTE: 20260514: Added by coordinator (santiago)
-  NOTE: 20260514: Maintainer has prepared an update
---
 openssl
   NOTE: 20260411: Added by Front-Desk (utkarsh)
   NOTE: 20260411: Follow DSA-6201-1 (CVE-2026-28387 CVE-2026-28388 CVE-2026-28389



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/99f46f41f07845a126ee692acc145c726012d651

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/99f46f41f07845a126ee692acc145c726012d651
You're receiving this email because of your account on salsa.debian.org. Manage all notifications: https://salsa.debian.org/-/profile/notifications | Help: https://salsa.debian.org/help


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20260515/3a252d80/attachment-0001.htm>

More information about the debian-security-tracker-commits mailing list