On Fri, Mar 27, 2026 at 10:45:34PM +0100, Salvatore Bonaccorso wrote:
> On Fri, Mar 27, 2026 at 06:31:05PM +0000, Colin Watson wrote:
> > Thanks. I'm not sure of the severity either, but the patch looks
> > reasonable. I've uploaded it to unstable and will work on corresponding
> > updates for trixie and bookworm.
>
> Thanks for your response! Thank you for reparing updates as well down
> to trixie and bookworm!
Do these debdiffs look OK for uploads to {bookworm,trixie}-security
(once the changelogs are finalized)? I amended gssapi.patch which is
the bottom of the patch stack, so there's some resulting git noise, but
it should be clear enough. All the autopkgtests pass locally.
Thanks,
--
Colin Watson (he/him) [[email protected]]
diff -Nru openssh-9.2p1/debian/.git-dpm openssh-9.2p1/debian/.git-dpm
--- openssh-9.2p1/debian/.git-dpm 2026-02-03 13:16:06.000000000 +0000
+++ openssh-9.2p1/debian/.git-dpm 2026-03-29 12:22:41.000000000 +0100
@@ -1,6 +1,6 @@
# see git-dpm(1) from git-dpm package
-e5402601353303321fb2953e0b7d45f0838b94db
-e5402601353303321fb2953e0b7d45f0838b94db
+f17eedbd2398f00fbb96170b60c8d2895318223e
+f17eedbd2398f00fbb96170b60c8d2895318223e
cf3c3acb2b8f74eeca7fcee269b1d33ac83f1188
cf3c3acb2b8f74eeca7fcee269b1d33ac83f1188
openssh_9.2p1.orig.tar.gz
diff -Nru openssh-9.2p1/debian/changelog openssh-9.2p1/debian/changelog
--- openssh-9.2p1/debian/changelog 2026-02-03 13:16:06.000000000 +0000
+++ openssh-9.2p1/debian/changelog 2026-03-29 12:22:41.000000000 +0100
@@ -1,3 +1,11 @@
+openssh (1:9.2p1-2+deb12u9) UNRELEASED; urgency=medium
+
+ * CVE-2026-3497: Fix incorrect GSS-API error handling; Replace incorrect
+ use of sshpkt_disconnect() with ssh_packet_disconnect(), and properly
+ initialize some variables (closes: #1130595; thanks, Marc Deslauriers).
+
+ -- Colin Watson <[email protected]> Sun, 29 Mar 2026 12:22:41 +0100
+
openssh (1:9.2p1-2+deb12u8) bookworm; urgency=medium
* CVE-2025-61984: ssh(1): disallow control characters in usernames passed
diff -Nru openssh-9.2p1/debian/patches/CVE-2023-28531.patch
openssh-9.2p1/debian/patches/CVE-2023-28531.patch
--- openssh-9.2p1/debian/patches/CVE-2023-28531.patch 2026-02-03
13:16:06.000000000 +0000
+++ openssh-9.2p1/debian/patches/CVE-2023-28531.patch 2026-03-29
12:22:41.000000000 +0100
@@ -1,4 +1,4 @@
-From cdd7ccb0c240e0a8b21eacb25da9a310add20251 Mon Sep 17 00:00:00 2001
+From d17072d8dd68dabcd9fea14cd643eadd658b93e5 Mon Sep 17 00:00:00 2001
From: "[email protected]" <[email protected]>
Date: Thu, 9 Mar 2023 06:58:26 +0000
Subject: upstream: include destination constraints for smartcard keys too.
diff -Nru openssh-9.2p1/debian/patches/CVE-2023-38408-1.patch
openssh-9.2p1/debian/patches/CVE-2023-38408-1.patch
--- openssh-9.2p1/debian/patches/CVE-2023-38408-1.patch 2026-02-03
13:16:06.000000000 +0000
+++ openssh-9.2p1/debian/patches/CVE-2023-38408-1.patch 2026-03-29
12:22:41.000000000 +0100
@@ -1,4 +1,4 @@
-From d28ccf30cf25d22264819d998102dd72fbf6d312 Mon Sep 17 00:00:00 2001
+From ad4e0b268e0f4fc28522bf0b4e6a86e610601db4 Mon Sep 17 00:00:00 2001
From: Damien Miller <[email protected]>
Date: Thu, 13 Jul 2023 12:09:34 +1000
Subject: terminate pkcs11 process for bad libraries
diff -Nru openssh-9.2p1/debian/patches/CVE-2023-38408-2.patch
openssh-9.2p1/debian/patches/CVE-2023-38408-2.patch
--- openssh-9.2p1/debian/patches/CVE-2023-38408-2.patch 2026-02-03
13:16:06.000000000 +0000
+++ openssh-9.2p1/debian/patches/CVE-2023-38408-2.patch 2026-03-29
12:22:41.000000000 +0100
@@ -1,4 +1,4 @@
-From 26c255d21ebeae770a4df88415c0623c89f047be Mon Sep 17 00:00:00 2001
+From 56689a64d331679fd027c10dd618157b9cfadbd2 Mon Sep 17 00:00:00 2001
From: Damien Miller <[email protected]>
Date: Fri, 7 Jul 2023 13:30:15 +1000
Subject: disallow remote addition of FIDO/PKCS11 keys
diff -Nru openssh-9.2p1/debian/patches/CVE-2023-38408-3.patch
openssh-9.2p1/debian/patches/CVE-2023-38408-3.patch
--- openssh-9.2p1/debian/patches/CVE-2023-38408-3.patch 2026-02-03
13:16:06.000000000 +0000
+++ openssh-9.2p1/debian/patches/CVE-2023-38408-3.patch 2026-03-29
12:22:41.000000000 +0100
@@ -1,4 +1,4 @@
-From 3657590a62106e02d302936bc6b1593ae24de22a Mon Sep 17 00:00:00 2001
+From e3df7d601f093b6bdea7c4c56ef0c0b9f876f9bc Mon Sep 17 00:00:00 2001
From: "[email protected]" <[email protected]>
Date: Wed, 19 Jul 2023 14:02:27 +0000
Subject: upstream: Ensure FIDO/PKCS11 libraries contain expected symbols
diff -Nru openssh-9.2p1/debian/patches/CVE-2023-48795.patch
openssh-9.2p1/debian/patches/CVE-2023-48795.patch
--- openssh-9.2p1/debian/patches/CVE-2023-48795.patch 2026-02-03
13:16:06.000000000 +0000
+++ openssh-9.2p1/debian/patches/CVE-2023-48795.patch 2026-03-29
12:22:41.000000000 +0100
@@ -1,4 +1,4 @@
-From 5d09f8bc808a50cb570b3f6782c55384224a488c Mon Sep 17 00:00:00 2001
+From 5e43361fd2629d7279591892b4af1af26c365a7d Mon Sep 17 00:00:00 2001
From: "[email protected]" <[email protected]>
Date: Mon, 18 Dec 2023 14:45:17 +0000
Subject: upstream: implement "strict key exchange" in ssh and sshd
diff -Nru openssh-9.2p1/debian/patches/CVE-2023-51384.patch
openssh-9.2p1/debian/patches/CVE-2023-51384.patch
--- openssh-9.2p1/debian/patches/CVE-2023-51384.patch 2026-02-03
13:16:06.000000000 +0000
+++ openssh-9.2p1/debian/patches/CVE-2023-51384.patch 2026-03-29
12:22:41.000000000 +0100
@@ -1,4 +1,4 @@
-From ce0fe1459a5b8824e43e3733538481ea5ecbb0e1 Mon Sep 17 00:00:00 2001
+From 20d0e6f3b2d23797f6d9c95631725d53f5fd2696 Mon Sep 17 00:00:00 2001
From: "[email protected]" <[email protected]>
Date: Mon, 18 Dec 2023 14:46:12 +0000
Subject: upstream: apply destination constraints to all p11 keys
diff -Nru openssh-9.2p1/debian/patches/CVE-2023-51385.patch
openssh-9.2p1/debian/patches/CVE-2023-51385.patch
--- openssh-9.2p1/debian/patches/CVE-2023-51385.patch 2026-02-03
13:16:06.000000000 +0000
+++ openssh-9.2p1/debian/patches/CVE-2023-51385.patch 2026-03-29
12:22:41.000000000 +0100
@@ -1,4 +1,4 @@
-From e76c2b15332dbdfc01fa6ff796ad694a7c5c39b4 Mon Sep 17 00:00:00 2001
+From af3d2d9c87cbb283b75b0310eae473b777ff9533 Mon Sep 17 00:00:00 2001
From: "[email protected]" <[email protected]>
Date: Mon, 18 Dec 2023 14:47:44 +0000
Subject: upstream: ban user/hostnames with most shell metacharacters
diff -Nru openssh-9.2p1/debian/patches/CVE-2025-26465.patch
openssh-9.2p1/debian/patches/CVE-2025-26465.patch
--- openssh-9.2p1/debian/patches/CVE-2025-26465.patch 2026-02-03
13:16:06.000000000 +0000
+++ openssh-9.2p1/debian/patches/CVE-2025-26465.patch 2026-03-29
12:22:41.000000000 +0100
@@ -1,4 +1,4 @@
-From 7b5cdb866db7c75c50c800fb4750e42392ebbf43 Mon Sep 17 00:00:00 2001
+From b9ba90aa69becfdc17531d2a0613f1731cfe6977 Mon Sep 17 00:00:00 2001
From: Colin Watson <[email protected]>
Date: Fri, 14 Feb 2025 00:13:11 +0000
Subject: CVE-2025-26465: Fix MitM in verify_host_key_callback
diff -Nru openssh-9.2p1/debian/patches/CVE-2025-61984-tests.patch
openssh-9.2p1/debian/patches/CVE-2025-61984-tests.patch
--- openssh-9.2p1/debian/patches/CVE-2025-61984-tests.patch 2026-02-03
13:16:06.000000000 +0000
+++ openssh-9.2p1/debian/patches/CVE-2025-61984-tests.patch 2026-03-29
12:22:41.000000000 +0100
@@ -1,4 +1,4 @@
-From e5402601353303321fb2953e0b7d45f0838b94db Mon Sep 17 00:00:00 2001
+From f17eedbd2398f00fbb96170b60c8d2895318223e Mon Sep 17 00:00:00 2001
From: "[email protected]" <[email protected]>
Date: Thu, 4 Sep 2025 03:04:44 +0000
Subject: Add more username validity checks
diff -Nru openssh-9.2p1/debian/patches/CVE-2025-61984.patch
openssh-9.2p1/debian/patches/CVE-2025-61984.patch
--- openssh-9.2p1/debian/patches/CVE-2025-61984.patch 2026-02-03
13:16:06.000000000 +0000
+++ openssh-9.2p1/debian/patches/CVE-2025-61984.patch 2026-03-29
12:22:41.000000000 +0100
@@ -1,4 +1,4 @@
-From cab036bedba20f6f11a9fd3baab79645a2c30d4c Mon Sep 17 00:00:00 2001
+From 8d3eae0cb6c443f5b3747aedde770fbeee7317f9 Mon Sep 17 00:00:00 2001
From: "[email protected]" <[email protected]>
Date: Thu, 4 Sep 2025 00:29:09 +0000
Subject: Refuse usernames that include control characters
diff -Nru openssh-9.2p1/debian/patches/CVE-2025-61985.patch
openssh-9.2p1/debian/patches/CVE-2025-61985.patch
--- openssh-9.2p1/debian/patches/CVE-2025-61985.patch 2026-02-03
13:16:06.000000000 +0000
+++ openssh-9.2p1/debian/patches/CVE-2025-61985.patch 2026-03-29
12:22:41.000000000 +0100
@@ -1,4 +1,4 @@
-From 48b09ff880d30b95d18273b02601097abeb12b9d Mon Sep 17 00:00:00 2001
+From 2ada375659b2c3d1f85739bc1ceaefb9f9128600 Mon Sep 17 00:00:00 2001
From: "[email protected]" <[email protected]>
Date: Thu, 4 Sep 2025 00:30:06 +0000
Subject: upstream: don't allow \0 characters in url-encoded strings.
diff -Nru
openssh-9.2p1/debian/patches/Disable-async-signal-unsafe-code-from-the-sshsigdie-.patch
openssh-9.2p1/debian/patches/Disable-async-signal-unsafe-code-from-the-sshsigdie-.patch
---
openssh-9.2p1/debian/patches/Disable-async-signal-unsafe-code-from-the-sshsigdie-.patch
2026-02-03 13:16:06.000000000 +0000
+++
openssh-9.2p1/debian/patches/Disable-async-signal-unsafe-code-from-the-sshsigdie-.patch
2026-03-29 12:22:41.000000000 +0100
@@ -1,4 +1,4 @@
-From 423c6fe52d13614994827e5cee65dac925232855 Mon Sep 17 00:00:00 2001
+From d16db6f3339bbe3e43e9a8116346bf00196ebc64 Mon Sep 17 00:00:00 2001
From: Salvatore Bonaccorso <[email protected]>
Date: Sat, 22 Jun 2024 21:33:03 +0200
Subject: Disable async-signal-unsafe code from the sshsigdie() function
diff -Nru openssh-9.2p1/debian/patches/authorized-keys-man-symlink.patch
openssh-9.2p1/debian/patches/authorized-keys-man-symlink.patch
--- openssh-9.2p1/debian/patches/authorized-keys-man-symlink.patch
2026-02-03 13:16:06.000000000 +0000
+++ openssh-9.2p1/debian/patches/authorized-keys-man-symlink.patch
2026-03-29 12:22:41.000000000 +0100
@@ -1,4 +1,4 @@
-From dee22f6f22efc21f49e55620c978023f43cf336d Mon Sep 17 00:00:00 2001
+From a817885b63c510f6caba684e9371dc59940403d8 Mon Sep 17 00:00:00 2001
From: Tomas Pospisek <[email protected]>
Date: Sun, 9 Feb 2014 16:10:07 +0000
Subject: Install authorized_keys(5) as a symlink to sshd(8)
diff -Nru openssh-9.2p1/debian/patches/conch-ssh-rsa.patch
openssh-9.2p1/debian/patches/conch-ssh-rsa.patch
--- openssh-9.2p1/debian/patches/conch-ssh-rsa.patch 2026-02-03
13:16:06.000000000 +0000
+++ openssh-9.2p1/debian/patches/conch-ssh-rsa.patch 2026-03-29
12:22:41.000000000 +0100
@@ -1,4 +1,4 @@
-From 6d532487bc6c01eacf3f5f92a3239d9ff84a9f61 Mon Sep 17 00:00:00 2001
+From b37909737bf937789947b0e7d49c905cb8eff978 Mon Sep 17 00:00:00 2001
From: Colin Watson <[email protected]>
Date: Tue, 15 Feb 2022 18:25:35 +0000
Subject: Work around RSA SHA-2 signature issues in conch
diff -Nru openssh-9.2p1/debian/patches/debian-banner.patch
openssh-9.2p1/debian/patches/debian-banner.patch
--- openssh-9.2p1/debian/patches/debian-banner.patch 2026-02-03
13:16:06.000000000 +0000
+++ openssh-9.2p1/debian/patches/debian-banner.patch 2026-03-29
12:22:41.000000000 +0100
@@ -1,4 +1,4 @@
-From 250ea677f62ee37a800e49d5d68683eb4ff241f7 Mon Sep 17 00:00:00 2001
+From 47e879b5122436ff563afb91e319a78881118336 Mon Sep 17 00:00:00 2001
From: Kees Cook <[email protected]>
Date: Sun, 9 Feb 2014 16:10:06 +0000
Subject: Add DebianBanner server configuration option
diff -Nru openssh-9.2p1/debian/patches/debian-config.patch
openssh-9.2p1/debian/patches/debian-config.patch
--- openssh-9.2p1/debian/patches/debian-config.patch 2026-02-03
13:16:06.000000000 +0000
+++ openssh-9.2p1/debian/patches/debian-config.patch 2026-03-29
12:22:41.000000000 +0100
@@ -1,4 +1,4 @@
-From 4363eb93bc775a6e759c1682da4f3a69543717bd Mon Sep 17 00:00:00 2001
+From c132dd740fb127fdf71735b69093d3058f09f98a Mon Sep 17 00:00:00 2001
From: Colin Watson <[email protected]>
Date: Sun, 9 Feb 2014 16:10:18 +0000
Subject: Various Debian-specific configuration changes
diff -Nru openssh-9.2p1/debian/patches/dnssec-sshfp.patch
openssh-9.2p1/debian/patches/dnssec-sshfp.patch
--- openssh-9.2p1/debian/patches/dnssec-sshfp.patch 2026-02-03
13:16:06.000000000 +0000
+++ openssh-9.2p1/debian/patches/dnssec-sshfp.patch 2026-03-29
12:22:41.000000000 +0100
@@ -1,4 +1,4 @@
-From b19054b02f64d320194f86e305a9d97053c9ab01 Mon Sep 17 00:00:00 2001
+From 461a8f7d31154ccbf95927c67c7be477802210f6 Mon Sep 17 00:00:00 2001
From: Colin Watson <[email protected]>
Date: Sun, 9 Feb 2014 16:10:01 +0000
Subject: Force use of DNSSEC even if "options edns0" isn't in resolv.conf
diff -Nru openssh-9.2p1/debian/patches/doc-hash-tab-completion.patch
openssh-9.2p1/debian/patches/doc-hash-tab-completion.patch
--- openssh-9.2p1/debian/patches/doc-hash-tab-completion.patch 2026-02-03
13:16:06.000000000 +0000
+++ openssh-9.2p1/debian/patches/doc-hash-tab-completion.patch 2026-03-29
12:22:41.000000000 +0100
@@ -1,4 +1,4 @@
-From fc51509b693b1b31ad48b93019da576edb905e13 Mon Sep 17 00:00:00 2001
+From 71b05455c09e8de3a7d06e4305e52e56de6b1860 Mon Sep 17 00:00:00 2001
From: Colin Watson <[email protected]>
Date: Sun, 9 Feb 2014 16:10:11 +0000
Subject: Document that HashKnownHosts may break tab-completion
diff -Nru openssh-9.2p1/debian/patches/fix-disable-forwarding.patch
openssh-9.2p1/debian/patches/fix-disable-forwarding.patch
--- openssh-9.2p1/debian/patches/fix-disable-forwarding.patch 2026-02-03
13:16:06.000000000 +0000
+++ openssh-9.2p1/debian/patches/fix-disable-forwarding.patch 2026-03-29
12:22:41.000000000 +0100
@@ -1,4 +1,4 @@
-From d69f6291ca7b1d7315a54aa50c1538f97b7b1f8f Mon Sep 17 00:00:00 2001
+From 95b236584c7dd434cfcb904cca94ca298b706102 Mon Sep 17 00:00:00 2001
From: "[email protected]" <[email protected]>
Date: Wed, 9 Apr 2025 07:00:03 +0000
Subject: upstream: Fix logic error in DisableForwarding option. This option
diff -Nru openssh-9.2p1/debian/patches/gnome-ssh-askpass2-icon.patch
openssh-9.2p1/debian/patches/gnome-ssh-askpass2-icon.patch
--- openssh-9.2p1/debian/patches/gnome-ssh-askpass2-icon.patch 2026-02-03
13:16:06.000000000 +0000
+++ openssh-9.2p1/debian/patches/gnome-ssh-askpass2-icon.patch 2026-03-29
12:22:41.000000000 +0100
@@ -1,4 +1,4 @@
-From deab71aa1b1bffb0f036ce681045aad80a846db4 Mon Sep 17 00:00:00 2001
+From 091f33f08b04c6365a4293fa198af81036b93599 Mon Sep 17 00:00:00 2001
From: Vincent Untz <[email protected]>
Date: Sun, 9 Feb 2014 16:10:16 +0000
Subject: Give the ssh-askpass-gnome window a default icon
diff -Nru openssh-9.2p1/debian/patches/gssapi.patch
openssh-9.2p1/debian/patches/gssapi.patch
--- openssh-9.2p1/debian/patches/gssapi.patch 2026-02-03 13:16:06.000000000
+0000
+++ openssh-9.2p1/debian/patches/gssapi.patch 2026-03-29 12:22:41.000000000
+0100
@@ -1,4 +1,4 @@
-From 03e7fd7bd4470a1322fa8da42789577cc5b1d7ec Mon Sep 17 00:00:00 2001
+From c65263926dfdbce12a49b7fc3824fe701a9d19bd Mon Sep 17 00:00:00 2001
From: Simon Wilkinson <[email protected]>
Date: Sun, 9 Feb 2014 16:09:48 +0000
Subject: GSSAPI key exchange support
@@ -21,7 +21,7 @@
Author: Jakub Jelen <[email protected]>
Origin: other, https://github.com/openssh-gsskex/openssh-gsskex/pull/23
Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1242
-Last-Updated: 2024-12-03
+Last-Updated: 2026-03-29
Patch-Name: gssapi.patch
---
@@ -42,7 +42,7 @@
kexdh.c | 10 +
kexgen.c | 2 +-
kexgssc.c | 599 ++++++++++++++++++++++++++++++++++++++++++++++++
- kexgsss.c | 474 ++++++++++++++++++++++++++++++++++++++
+ kexgsss.c | 475 ++++++++++++++++++++++++++++++++++++++
monitor.c | 139 ++++++++++-
monitor.h | 2 +
monitor_wrap.c | 57 ++++-
@@ -64,7 +64,7 @@
sshd_config.5 | 30 +++
sshkey.c | 8 +-
sshkey.h | 1 +
- 39 files changed, 2770 insertions(+), 166 deletions(-)
+ 39 files changed, 2771 insertions(+), 166 deletions(-)
create mode 100644 kexgssc.c
create mode 100644 kexgsss.c
create mode 100644 ssh-null.c
@@ -1597,7 +1597,7 @@
const struct sshbuf *client_version,
diff --git a/kexgssc.c b/kexgssc.c
new file mode 100644
-index 000000000..1c62740e7
+index 000000000..feca2a901
--- /dev/null
+++ b/kexgssc.c
@@ -0,0 +1,599 @@
@@ -1655,8 +1655,8 @@
+{
+ struct kex *kex = ssh->kex;
+ gss_buffer_desc send_tok = GSS_C_EMPTY_BUFFER,
-+ recv_tok = GSS_C_EMPTY_BUFFER,
-+ gssbuf, msg_tok = GSS_C_EMPTY_BUFFER, *token_ptr;
++ recv_tok = GSS_C_EMPTY_BUFFER, gssbuf = GSS_C_EMPTY_BUFFER,
++ msg_tok = GSS_C_EMPTY_BUFFER, *token_ptr;
+ Gssctxt *ctxt;
+ OM_uint32 maj_status, min_status, ret_flags;
+ struct sshbuf *server_blob = NULL;
@@ -1801,11 +1801,11 @@
+ fatal("Failed to read token:
%s", ssh_err(r));
+ /* If we're already complete - protocol
error */
+ if (maj_status == GSS_S_COMPLETE)
-+ sshpkt_disconnect(ssh,
"Protocol error: received token when complete");
++ ssh_packet_disconnect(ssh,
"Protocol error: received token when complete");
+ } else {
+ /* No token included */
+ if (maj_status != GSS_S_COMPLETE)
-+ sshpkt_disconnect(ssh,
"Protocol error: did not receive final token");
++ ssh_packet_disconnect(ssh,
"Protocol error: did not receive final token");
+ }
+ if ((r = sshpkt_get_end(ssh)) != 0) {
+ fatal("Expecting end of packet.");
@@ -1821,7 +1821,7 @@
+ fatal("sshpkt_get failed: %s",
ssh_err(r));
+ fatal("GSSAPI Error: \n%.400s", msg);
+ default:
-+ sshpkt_disconnect(ssh, "Protocol error: didn't
expect packet type %d",
++ ssh_packet_disconnect(ssh, "Protocol error:
didn't expect packet type %d",
+ type);
+ }
+ token_ptr = &recv_tok;
@@ -1894,7 +1894,7 @@
+
+ /* Verify that the hash matches the MIC we just got. */
+ if (GSS_ERROR(ssh_gssapi_checkmic(ctxt, &gssbuf, &msg_tok)))
-+ sshpkt_disconnect(ssh, "Hash's MIC didn't verify");
++ ssh_packet_disconnect(ssh, "Hash's MIC didn't verify");
+
+ gss_release_buffer(&min_status, &msg_tok);
+
@@ -1926,8 +1926,8 @@
+{
+ struct kex *kex = ssh->kex;
+ gss_buffer_desc send_tok = GSS_C_EMPTY_BUFFER,
-+ recv_tok = GSS_C_EMPTY_BUFFER, gssbuf,
-+ msg_tok = GSS_C_EMPTY_BUFFER, *token_ptr;
++ recv_tok = GSS_C_EMPTY_BUFFER, gssbuf = GSS_C_EMPTY_BUFFER,
++ msg_tok = GSS_C_EMPTY_BUFFER, *token_ptr;
+ Gssctxt *ctxt;
+ OM_uint32 maj_status, min_status, ret_flags;
+ struct sshbuf *shared_secret = NULL;
@@ -2093,11 +2093,11 @@
+ fatal("sshpkt failed: %s",
ssh_err(r));
+ /* If we're already complete - protocol
error */
+ if (maj_status == GSS_S_COMPLETE)
-+ sshpkt_disconnect(ssh,
"Protocol error: received token when complete");
++ ssh_packet_disconnect(ssh,
"Protocol error: received token when complete");
+ } else {
+ /* No token included */
+ if (maj_status != GSS_S_COMPLETE)
-+ sshpkt_disconnect(ssh,
"Protocol error: did not receive final token");
++ ssh_packet_disconnect(ssh,
"Protocol error: did not receive final token");
+ }
+ break;
+ case SSH2_MSG_KEXGSS_ERROR:
@@ -2110,7 +2110,7 @@
+ fatal("sshpkt failed: %s", ssh_err(r));
+ fatal("GSSAPI Error: \n%.400s", msg);
+ default:
-+ sshpkt_disconnect(ssh, "Protocol error: didn't
expect packet type %d",
++ ssh_packet_disconnect(ssh, "Protocol error:
didn't expect packet type %d",
+ type);
+ }
+ token_ptr = &recv_tok;
@@ -2172,7 +2172,7 @@
+
+ /* Verify that the hash matches the MIC we just got. */
+ if (GSS_ERROR(ssh_gssapi_checkmic(ctxt, &gssbuf, &msg_tok)))
-+ sshpkt_disconnect(ssh, "Hash's MIC didn't verify");
++ ssh_packet_disconnect(ssh, "Hash's MIC didn't verify");
+
+ gss_release_buffer(&min_status, &msg_tok);
+
@@ -2202,10 +2202,10 @@
+#endif /* defined(GSSAPI) && defined(WITH_OPENSSL) */
diff --git a/kexgsss.c b/kexgsss.c
new file mode 100644
-index 000000000..a2c02148b
+index 000000000..aa546be74
--- /dev/null
+++ b/kexgsss.c
-@@ -0,0 +1,474 @@
+@@ -0,0 +1,475 @@
+/*
+ * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved.
+ *
@@ -2272,7 +2272,8 @@
+ */
+
+ OM_uint32 ret_flags = 0;
-+ gss_buffer_desc gssbuf, recv_tok, msg_tok;
++ gss_buffer_desc gssbuf = GSS_C_EMPTY_BUFFER,
++ recv_tok = GSS_C_EMPTY_BUFFER, msg_tok = GSS_C_EMPTY_BUFFER;
+ gss_buffer_desc send_tok = GSS_C_EMPTY_BUFFER;
+ Gssctxt *ctxt = NULL;
+ struct sshbuf *shared_secret = NULL;
@@ -2351,7 +2352,7 @@
+ fatal("sshpkt failed: %s", ssh_err(r));
+ break;
+ default:
-+ sshpkt_disconnect(ssh,
++ ssh_packet_disconnect(ssh,
+ "Protocol error: didn't expect packet type %d",
+ type);
+ }
@@ -2467,7 +2468,8 @@
+ */
+
+ OM_uint32 ret_flags = 0;
-+ gss_buffer_desc gssbuf, recv_tok, msg_tok;
++ gss_buffer_desc gssbuf = GSS_C_EMPTY_BUFFER,
++ recv_tok = GSS_C_EMPTY_BUFFER, msg_tok = GSS_C_EMPTY_BUFFER;
+ gss_buffer_desc send_tok = GSS_C_EMPTY_BUFFER;
+ Gssctxt *ctxt = NULL;
+ struct sshbuf *shared_secret = NULL;
@@ -2524,8 +2526,7 @@
+ min, nbits, max);
+ kex->dh = PRIVSEP(choose_dh(min, nbits, max));
+ if (kex->dh == NULL) {
-+ sshpkt_disconnect(ssh, "Protocol error: no matching group
found");
-+ fatal("Protocol error: no matching group found");
++ ssh_packet_disconnect(ssh, "Protocol error: no matching group
found");
+ }
+
+ DH_get0_pqg(kex->dh, &dh_p, NULL, &dh_g);
@@ -2564,7 +2565,7 @@
+ fatal("sshpkt failed: %s", ssh_err(r));
+ break;
+ default:
-+ sshpkt_disconnect(ssh,
++ ssh_packet_disconnect(ssh,
+ "Protocol error: didn't expect packet type %d",
+ type);
+ }
diff -Nru openssh-9.2p1/debian/patches/incorrect-return-values.patch
openssh-9.2p1/debian/patches/incorrect-return-values.patch
--- openssh-9.2p1/debian/patches/incorrect-return-values.patch 2026-02-03
13:16:06.000000000 +0000
+++ openssh-9.2p1/debian/patches/incorrect-return-values.patch 2026-03-29
12:22:41.000000000 +0100
@@ -1,4 +1,4 @@
-From 902b3eaff361ec5fe9aeb77b91d0c3f721621beb Mon Sep 17 00:00:00 2001
+From 88bf837d1e6ce1025047a97d4f6901f2a60b3771 Mon Sep 17 00:00:00 2001
From: Colin Watson <[email protected]>
Date: Fri, 14 Feb 2025 00:24:52 +0000
Subject: Fix incorrect return values on a number of error paths
diff -Nru openssh-9.2p1/debian/patches/keepalive-extensions.patch
openssh-9.2p1/debian/patches/keepalive-extensions.patch
--- openssh-9.2p1/debian/patches/keepalive-extensions.patch 2026-02-03
13:16:06.000000000 +0000
+++ openssh-9.2p1/debian/patches/keepalive-extensions.patch 2026-03-29
12:22:41.000000000 +0100
@@ -1,4 +1,4 @@
-From 88e35da8605f70f062e5aafd223098e158425aa4 Mon Sep 17 00:00:00 2001
+From f0152b64367b79554f55a71d84e68c3d29d61e85 Mon Sep 17 00:00:00 2001
From: Richard Kettlewell <[email protected]>
Date: Sun, 9 Feb 2014 16:09:52 +0000
Subject: Various keepalive extensions
diff -Nru openssh-9.2p1/debian/patches/maxhostnamelen.patch
openssh-9.2p1/debian/patches/maxhostnamelen.patch
--- openssh-9.2p1/debian/patches/maxhostnamelen.patch 2026-02-03
13:16:06.000000000 +0000
+++ openssh-9.2p1/debian/patches/maxhostnamelen.patch 2026-03-29
12:22:41.000000000 +0100
@@ -1,4 +1,4 @@
-From 0de61f52e23476a50b05d8bc7aab66adb411defd Mon Sep 17 00:00:00 2001
+From 295310dd73d907c4fd9c4882739a2b82c18b4ada Mon Sep 17 00:00:00 2001
From: Svante Signell <[email protected]>
Date: Fri, 5 Nov 2021 23:22:53 +0000
Subject: Define MAXHOSTNAMELEN on GNU/Hurd
diff -Nru openssh-9.2p1/debian/patches/mention-ssh-keygen-on-keychange.patch
openssh-9.2p1/debian/patches/mention-ssh-keygen-on-keychange.patch
--- openssh-9.2p1/debian/patches/mention-ssh-keygen-on-keychange.patch
2026-02-03 13:16:06.000000000 +0000
+++ openssh-9.2p1/debian/patches/mention-ssh-keygen-on-keychange.patch
2026-03-29 12:22:41.000000000 +0100
@@ -1,4 +1,4 @@
-From faaa7e24f0440213fab3558ffbd8119c04f4ae12 Mon Sep 17 00:00:00 2001
+From e011a4c78a843be85b49374f7f255f3aae884c1f Mon Sep 17 00:00:00 2001
From: Scott Moser <[email protected]>
Date: Sun, 9 Feb 2014 16:10:03 +0000
Subject: Mention ssh-keygen in ssh fingerprint changed warning
diff -Nru openssh-9.2p1/debian/patches/no-openssl-version-status.patch
openssh-9.2p1/debian/patches/no-openssl-version-status.patch
--- openssh-9.2p1/debian/patches/no-openssl-version-status.patch
2026-02-03 13:16:06.000000000 +0000
+++ openssh-9.2p1/debian/patches/no-openssl-version-status.patch
2026-03-29 12:22:41.000000000 +0100
@@ -1,4 +1,4 @@
-From 6512a9b0020d9c7a63d6e0cf237da4c088489a7b Mon Sep 17 00:00:00 2001
+From 9d87a74dbcdb1e3732c8c9f1abee939638fda725 Mon Sep 17 00:00:00 2001
From: Kurt Roeckx <[email protected]>
Date: Sun, 9 Feb 2014 16:10:14 +0000
Subject: Don't check the status field of the OpenSSL version
diff -Nru openssh-9.2p1/debian/patches/openbsd-docs.patch
openssh-9.2p1/debian/patches/openbsd-docs.patch
--- openssh-9.2p1/debian/patches/openbsd-docs.patch 2026-02-03
13:16:06.000000000 +0000
+++ openssh-9.2p1/debian/patches/openbsd-docs.patch 2026-03-29
12:22:41.000000000 +0100
@@ -1,4 +1,4 @@
-From e76555b386bf0a09ac60b4de7cd46960ca736164 Mon Sep 17 00:00:00 2001
+From a967c10d51a4b16fbb6df0190bb1c5e7ee5c1819 Mon Sep 17 00:00:00 2001
From: Colin Watson <[email protected]>
Date: Sun, 9 Feb 2014 16:10:09 +0000
Subject: Adjust various OpenBSD-specific references in manual pages
diff -Nru openssh-9.2p1/debian/patches/openssl-3-abi-compatibility-test.patch
openssh-9.2p1/debian/patches/openssl-3-abi-compatibility-test.patch
--- openssh-9.2p1/debian/patches/openssl-3-abi-compatibility-test.patch
2026-02-03 13:16:06.000000000 +0000
+++ openssh-9.2p1/debian/patches/openssl-3-abi-compatibility-test.patch
2026-03-29 12:22:41.000000000 +0100
@@ -1,4 +1,4 @@
-From f32089dd98a157929164f1f38ba88d3114e63312 Mon Sep 17 00:00:00 2001
+From bab400123c7e33e44f1e877251f781132a7eb95c Mon Sep 17 00:00:00 2001
From: Darren Tucker <[email protected]>
Date: Tue, 9 May 2023 17:12:50 +1000
Subject: Update OpenSSL compat test for 3.x.
diff -Nru openssh-9.2p1/debian/patches/openssl-3-abi-compatibility.patch
openssh-9.2p1/debian/patches/openssl-3-abi-compatibility.patch
--- openssh-9.2p1/debian/patches/openssl-3-abi-compatibility.patch
2026-02-03 13:16:06.000000000 +0000
+++ openssh-9.2p1/debian/patches/openssl-3-abi-compatibility.patch
2026-03-29 12:22:41.000000000 +0100
@@ -1,4 +1,4 @@
-From 45e9a6aeb8179ed7bf306785f042fef6137e866a Mon Sep 17 00:00:00 2001
+From 1c4180550eaa3da07e5ff78a2c38d4f267d80db2 Mon Sep 17 00:00:00 2001
From: Darren Tucker <[email protected]>
Date: Mon, 8 May 2023 20:12:59 +1000
Subject: Handle OpenSSL >=3 ABI compatibility.
diff -Nru openssh-9.2p1/debian/patches/package-versioning.patch
openssh-9.2p1/debian/patches/package-versioning.patch
--- openssh-9.2p1/debian/patches/package-versioning.patch 2026-02-03
13:16:06.000000000 +0000
+++ openssh-9.2p1/debian/patches/package-versioning.patch 2026-03-29
12:22:41.000000000 +0100
@@ -1,4 +1,4 @@
-From 62a119032fb35d2494730603d01ea384e144f82a Mon Sep 17 00:00:00 2001
+From 5112b18efe5f92c5e3b21a3aea8d9d41582d572f Mon Sep 17 00:00:00 2001
From: Matthew Vernon <[email protected]>
Date: Sun, 9 Feb 2014 16:10:05 +0000
Subject: Include the Debian version in our identification
diff -Nru openssh-9.2p1/debian/patches/remove-spurious-ssh-agent-options.patch
openssh-9.2p1/debian/patches/remove-spurious-ssh-agent-options.patch
--- openssh-9.2p1/debian/patches/remove-spurious-ssh-agent-options.patch
2026-02-03 13:16:06.000000000 +0000
+++ openssh-9.2p1/debian/patches/remove-spurious-ssh-agent-options.patch
2026-03-29 12:22:41.000000000 +0100
@@ -1,4 +1,4 @@
-From d6a6e02729e06e77a8068122ee88ec391789fd4c Mon Sep 17 00:00:00 2001
+From 4c67c4f548ac13939cf0599adb3cbdd67b368afc Mon Sep 17 00:00:00 2001
From: Colin Watson <[email protected]>
Date: Tue, 7 Feb 2023 23:55:19 +0000
Subject: Remove spurious ssh-agent options
diff -Nru openssh-9.2p1/debian/patches/restore-authorized_keys2.patch
openssh-9.2p1/debian/patches/restore-authorized_keys2.patch
--- openssh-9.2p1/debian/patches/restore-authorized_keys2.patch 2026-02-03
13:16:06.000000000 +0000
+++ openssh-9.2p1/debian/patches/restore-authorized_keys2.patch 2026-03-29
12:22:41.000000000 +0100
@@ -1,4 +1,4 @@
-From 808fc9c9fe9af878a8d2ad8db47ea01292d2740d Mon Sep 17 00:00:00 2001
+From afc9d494b9e2d6ab3aef194d958a00c325da77b2 Mon Sep 17 00:00:00 2001
From: Colin Watson <[email protected]>
Date: Sun, 5 Mar 2017 02:02:11 +0000
Subject: Restore reading authorized_keys2 by default
diff -Nru openssh-9.2p1/debian/patches/restore-tcp-wrappers.patch
openssh-9.2p1/debian/patches/restore-tcp-wrappers.patch
--- openssh-9.2p1/debian/patches/restore-tcp-wrappers.patch 2026-02-03
13:16:06.000000000 +0000
+++ openssh-9.2p1/debian/patches/restore-tcp-wrappers.patch 2026-03-29
12:22:41.000000000 +0100
@@ -1,4 +1,4 @@
-From b43542890d0f92850e5c8bbd30f62204791fce98 Mon Sep 17 00:00:00 2001
+From 8c3de439bb486812ed3a63d24573c58f2c96dc70 Mon Sep 17 00:00:00 2001
From: Colin Watson <[email protected]>
Date: Tue, 7 Oct 2014 13:22:41 +0100
Subject: Restore TCP wrappers support
diff -Nru openssh-9.2p1/debian/patches/revert-ipqos-defaults.patch
openssh-9.2p1/debian/patches/revert-ipqos-defaults.patch
--- openssh-9.2p1/debian/patches/revert-ipqos-defaults.patch 2026-02-03
13:16:06.000000000 +0000
+++ openssh-9.2p1/debian/patches/revert-ipqos-defaults.patch 2026-03-29
12:22:41.000000000 +0100
@@ -1,4 +1,4 @@
-From 8ec019ee41a379ba31344b0dc767b0aeb9c12fd5 Mon Sep 17 00:00:00 2001
+From 44ec3907fe80286c2cc81858b0067e0ab49ce6b4 Mon Sep 17 00:00:00 2001
From: Colin Watson <[email protected]>
Date: Mon, 8 Apr 2019 10:46:29 +0100
Subject: Revert "upstream: Update default IPQoS in ssh(1), sshd(8) to DSCP
diff -Nru openssh-9.2p1/debian/patches/scp-quoting.patch
openssh-9.2p1/debian/patches/scp-quoting.patch
--- openssh-9.2p1/debian/patches/scp-quoting.patch 2026-02-03
13:16:06.000000000 +0000
+++ openssh-9.2p1/debian/patches/scp-quoting.patch 2026-03-29
12:22:41.000000000 +0100
@@ -1,4 +1,4 @@
-From 3e9d83c98093d1485e33eb94f8449c2b0683ebc8 Mon Sep 17 00:00:00 2001
+From 260c1cd8bc98c0040e4b30e1190da0b79dfed1d7 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Nicolas=20Valc=C3=A1rcel?= <[email protected]>
Date: Sun, 9 Feb 2014 16:09:59 +0000
Subject: Adjust scp quoting in verbose mode
diff -Nru openssh-9.2p1/debian/patches/selinux-role.patch
openssh-9.2p1/debian/patches/selinux-role.patch
--- openssh-9.2p1/debian/patches/selinux-role.patch 2026-02-03
13:16:06.000000000 +0000
+++ openssh-9.2p1/debian/patches/selinux-role.patch 2026-03-29
12:22:41.000000000 +0100
@@ -1,4 +1,4 @@
-From 07fb0a9e6b42cdb0225517609e60165beb268ceb Mon Sep 17 00:00:00 2001
+From 37927b2753dd7ebc6cbaa2a7e8bf642d4fced14c Mon Sep 17 00:00:00 2001
From: Manoj Srivastava <[email protected]>
Date: Sun, 9 Feb 2014 16:09:49 +0000
Subject: Handle SELinux authorisation roles
diff -Nru openssh-9.2p1/debian/patches/shell-path.patch
openssh-9.2p1/debian/patches/shell-path.patch
--- openssh-9.2p1/debian/patches/shell-path.patch 2026-02-03
13:16:06.000000000 +0000
+++ openssh-9.2p1/debian/patches/shell-path.patch 2026-03-29
12:22:41.000000000 +0100
@@ -1,4 +1,4 @@
-From 695ba53a206de76d33d734ba359c4203088368cb Mon Sep 17 00:00:00 2001
+From 76f73b1a1cb01e6fbe8f64ffad6f0ee8e2693a88 Mon Sep 17 00:00:00 2001
From: Colin Watson <[email protected]>
Date: Sun, 9 Feb 2014 16:10:00 +0000
Subject: Look for $SHELL on the path for ProxyCommand/LocalCommand
diff -Nru openssh-9.2p1/debian/patches/sntrup761x25519-sha512.patch
openssh-9.2p1/debian/patches/sntrup761x25519-sha512.patch
--- openssh-9.2p1/debian/patches/sntrup761x25519-sha512.patch 2026-02-03
13:16:06.000000000 +0000
+++ openssh-9.2p1/debian/patches/sntrup761x25519-sha512.patch 2026-03-29
12:22:41.000000000 +0100
@@ -1,4 +1,4 @@
-From 28483d6bfa7171cb3569b9650191a4ea03d2c157 Mon Sep 17 00:00:00 2001
+From 599f3a72fdf274d58e8d2db73c0afe92a9037355 Mon Sep 17 00:00:00 2001
From: "[email protected]" <[email protected]>
Date: Thu, 22 Aug 2024 23:11:30 +0000
Subject: upstream: sntrup761x25519-sha512 now has an IANA codepoint assigned,
diff -Nru openssh-9.2p1/debian/patches/ssh-agent-setgid.patch
openssh-9.2p1/debian/patches/ssh-agent-setgid.patch
--- openssh-9.2p1/debian/patches/ssh-agent-setgid.patch 2026-02-03
13:16:06.000000000 +0000
+++ openssh-9.2p1/debian/patches/ssh-agent-setgid.patch 2026-03-29
12:22:41.000000000 +0100
@@ -1,4 +1,4 @@
-From d5a2ba7af682ae724440edb5030094b19455fd98 Mon Sep 17 00:00:00 2001
+From 5574e44dd7d5ddded6f4756b5a31b6fb030ba4df Mon Sep 17 00:00:00 2001
From: Colin Watson <[email protected]>
Date: Sun, 9 Feb 2014 16:10:13 +0000
Subject: Document consequences of ssh-agent being setgid in ssh-agent(1)
diff -Nru openssh-9.2p1/debian/patches/ssh-argv0.patch
openssh-9.2p1/debian/patches/ssh-argv0.patch
--- openssh-9.2p1/debian/patches/ssh-argv0.patch 2026-02-03
13:16:06.000000000 +0000
+++ openssh-9.2p1/debian/patches/ssh-argv0.patch 2026-03-29
12:22:41.000000000 +0100
@@ -1,4 +1,4 @@
-From 415984f4dba214dbd469af8bd5ba88a8eaf87bac Mon Sep 17 00:00:00 2001
+From 8d765ddad95a2b0f63646865a545fe666dc43c80 Mon Sep 17 00:00:00 2001
From: Colin Watson <[email protected]>
Date: Sun, 9 Feb 2014 16:10:10 +0000
Subject: ssh(1): Refer to ssh-argv0(1)
diff -Nru openssh-9.2p1/debian/patches/ssh-vulnkey-compat.patch
openssh-9.2p1/debian/patches/ssh-vulnkey-compat.patch
--- openssh-9.2p1/debian/patches/ssh-vulnkey-compat.patch 2026-02-03
13:16:06.000000000 +0000
+++ openssh-9.2p1/debian/patches/ssh-vulnkey-compat.patch 2026-03-29
12:22:41.000000000 +0100
@@ -1,4 +1,4 @@
-From 29e019028843d1b63f95854f425b8efe69317b6a Mon Sep 17 00:00:00 2001
+From 226d619b6bf93334fa5b1f13d419c32879eb8ed9 Mon Sep 17 00:00:00 2001
From: Colin Watson <[email protected]>
Date: Sun, 9 Feb 2014 16:09:50 +0000
Subject: Accept obsolete ssh-vulnkey configuration options
diff -Nru openssh-9.2p1/debian/patches/syslog-level-silent.patch
openssh-9.2p1/debian/patches/syslog-level-silent.patch
--- openssh-9.2p1/debian/patches/syslog-level-silent.patch 2026-02-03
13:16:06.000000000 +0000
+++ openssh-9.2p1/debian/patches/syslog-level-silent.patch 2026-03-29
12:22:41.000000000 +0100
@@ -1,4 +1,4 @@
-From 3cd29305c77bb26eb4ec6b34078317eee6f9bf15 Mon Sep 17 00:00:00 2001
+From 317bf7c3eb826466d8cf09489cf3b87e5d4196b1 Mon Sep 17 00:00:00 2001
From: Natalie Amery <[email protected]>
Date: Sun, 9 Feb 2014 16:09:54 +0000
Subject: "LogLevel SILENT" compatibility
diff -Nru openssh-9.2p1/debian/patches/systemd-readiness.patch
openssh-9.2p1/debian/patches/systemd-readiness.patch
--- openssh-9.2p1/debian/patches/systemd-readiness.patch 2026-02-03
13:16:06.000000000 +0000
+++ openssh-9.2p1/debian/patches/systemd-readiness.patch 2026-03-29
12:22:41.000000000 +0100
@@ -1,4 +1,4 @@
-From b12e301f5d94cdbc28598ba38709f44fe433b4bb Mon Sep 17 00:00:00 2001
+From 16928bde79a31eb7f46c6206471a811a2e67a30f Mon Sep 17 00:00:00 2001
From: Michael Biebl <[email protected]>
Date: Mon, 21 Dec 2015 16:08:47 +0000
Subject: Add systemd readiness notification support
diff -Nru openssh-9.2p1/debian/patches/systemd-socket-activation.patch
openssh-9.2p1/debian/patches/systemd-socket-activation.patch
--- openssh-9.2p1/debian/patches/systemd-socket-activation.patch
2026-02-03 13:16:06.000000000 +0000
+++ openssh-9.2p1/debian/patches/systemd-socket-activation.patch
2026-03-29 12:22:41.000000000 +0100
@@ -1,4 +1,4 @@
-From 8b86adf81bb0f382117bc693efeab25378ff6187 Mon Sep 17 00:00:00 2001
+From 93f10fb98f8257b451bda07a3a98cc7314a85a46 Mon Sep 17 00:00:00 2001
From: Steve Langasek <[email protected]>
Date: Thu, 1 Sep 2022 16:03:37 +0100
Subject: Support systemd socket activation
diff -Nru openssh-9.2p1/debian/patches/user-group-modes.patch
openssh-9.2p1/debian/patches/user-group-modes.patch
--- openssh-9.2p1/debian/patches/user-group-modes.patch 2026-02-03
13:16:06.000000000 +0000
+++ openssh-9.2p1/debian/patches/user-group-modes.patch 2026-03-29
12:22:41.000000000 +0100
@@ -1,4 +1,4 @@
-From 603e2674118ba4136b73561941086a24a21ac7e8 Mon Sep 17 00:00:00 2001
+From 22367a34547dd7e93392f05bea6c79e97b5ddc58 Mon Sep 17 00:00:00 2001
From: Colin Watson <[email protected]>
Date: Sun, 9 Feb 2014 16:09:58 +0000
Subject: Allow harmless group-writability
diff -Nru openssh-10.0p1/debian/.git-dpm openssh-10.0p1/debian/.git-dpm
--- openssh-10.0p1/debian/.git-dpm 2026-02-03 13:15:29.000000000 +0000
+++ openssh-10.0p1/debian/.git-dpm 2026-03-27 18:28:37.000000000 +0000
@@ -1,6 +1,6 @@
# see git-dpm(1) from git-dpm package
-f9aa1828af2d4cb16246a9f98efb5239c094d8b3
-f9aa1828af2d4cb16246a9f98efb5239c094d8b3
+947d15f4b44cf7d4ce337c82ed7e1a167a4f4dc2
+947d15f4b44cf7d4ce337c82ed7e1a167a4f4dc2
860fa104f07024318a40065f07708daa5753f55d
860fa104f07024318a40065f07708daa5753f55d
openssh_10.0p1.orig.tar.gz
diff -Nru openssh-10.0p1/debian/changelog openssh-10.0p1/debian/changelog
--- openssh-10.0p1/debian/changelog 2026-02-03 13:15:29.000000000 +0000
+++ openssh-10.0p1/debian/changelog 2026-03-27 18:28:37.000000000 +0000
@@ -1,3 +1,11 @@
+openssh (1:10.0p1-7+deb13u2) UNRELEASED; urgency=medium
+
+ * CVE-2026-3497: Fix incorrect GSS-API error handling; Replace incorrect
+ use of sshpkt_disconnect() with ssh_packet_disconnect(), and properly
+ initialize some variables (closes: #1130595; thanks, Marc Deslauriers).
+
+ -- Colin Watson <[email protected]> Fri, 27 Mar 2026 18:28:37 +0000
+
openssh (1:10.0p1-7+deb13u1) trixie; urgency=medium
* CVE-2025-61984: ssh(1): disallow control characters in usernames passed
diff -Nru openssh-10.0p1/debian/patches/CVE-2025-61984-tests.patch
openssh-10.0p1/debian/patches/CVE-2025-61984-tests.patch
--- openssh-10.0p1/debian/patches/CVE-2025-61984-tests.patch 2026-02-03
13:15:29.000000000 +0000
+++ openssh-10.0p1/debian/patches/CVE-2025-61984-tests.patch 2026-03-27
18:28:37.000000000 +0000
@@ -1,4 +1,4 @@
-From 68dfc2656e933f1571999e340da8db1137a27a78 Mon Sep 17 00:00:00 2001
+From 4a8b438b5a7cd0534dbfa11e953935ae24debbc6 Mon Sep 17 00:00:00 2001
From: "[email protected]" <[email protected]>
Date: Thu, 4 Sep 2025 03:04:44 +0000
Subject: upstream: repair test after changes to percent expansion of usernames
diff -Nru openssh-10.0p1/debian/patches/CVE-2025-61984.patch
openssh-10.0p1/debian/patches/CVE-2025-61984.patch
--- openssh-10.0p1/debian/patches/CVE-2025-61984.patch 2026-02-03
13:15:29.000000000 +0000
+++ openssh-10.0p1/debian/patches/CVE-2025-61984.patch 2026-03-27
18:28:37.000000000 +0000
@@ -1,4 +1,4 @@
-From 7e076cb419a27153e81243b339ce2efbc3c1f6f3 Mon Sep 17 00:00:00 2001
+From 82a6200c6affd9a90b3fe8e2fdea93b839319aea Mon Sep 17 00:00:00 2001
From: "[email protected]" <[email protected]>
Date: Thu, 4 Sep 2025 00:29:09 +0000
Subject: upstream: Improve rules for %-expansion of username.
diff -Nru openssh-10.0p1/debian/patches/CVE-2025-61985.patch
openssh-10.0p1/debian/patches/CVE-2025-61985.patch
--- openssh-10.0p1/debian/patches/CVE-2025-61985.patch 2026-02-03
13:15:29.000000000 +0000
+++ openssh-10.0p1/debian/patches/CVE-2025-61985.patch 2026-03-27
18:28:37.000000000 +0000
@@ -1,4 +1,4 @@
-From 0bd8630712ee27da7aebfec79c96239657ae9369 Mon Sep 17 00:00:00 2001
+From 51b9b26c9f76b2594ca93ce1ac49aa10931d098a Mon Sep 17 00:00:00 2001
From: "[email protected]" <[email protected]>
Date: Thu, 4 Sep 2025 00:30:06 +0000
Subject: upstream: don't allow \0 characters in url-encoded strings.
diff -Nru openssh-10.0p1/debian/patches/authorized-keys-man-symlink.patch
openssh-10.0p1/debian/patches/authorized-keys-man-symlink.patch
--- openssh-10.0p1/debian/patches/authorized-keys-man-symlink.patch
2026-02-03 13:15:29.000000000 +0000
+++ openssh-10.0p1/debian/patches/authorized-keys-man-symlink.patch
2026-03-27 18:28:37.000000000 +0000
@@ -1,4 +1,4 @@
-From d8aca11c6d61adb619a8aea6f2f3a7a3365babda Mon Sep 17 00:00:00 2001
+From 7deef22ee3383b6e33de3201a2b060fc4dc43807 Mon Sep 17 00:00:00 2001
From: Tomas Pospisek <[email protected]>
Date: Sun, 9 Feb 2014 16:10:07 +0000
Subject: Install authorized_keys(5) as a symlink to sshd(8)
diff -Nru openssh-10.0p1/debian/patches/configure-cache-vars.patch
openssh-10.0p1/debian/patches/configure-cache-vars.patch
--- openssh-10.0p1/debian/patches/configure-cache-vars.patch 2026-02-03
13:15:29.000000000 +0000
+++ openssh-10.0p1/debian/patches/configure-cache-vars.patch 2026-03-27
18:28:37.000000000 +0000
@@ -1,4 +1,4 @@
-From 009c6b987ef180ee0ef58b5c06dfdbf0097e18a9 Mon Sep 17 00:00:00 2001
+From 632c556fc44085e0cf62c92fbea312bc2ff01700 Mon Sep 17 00:00:00 2001
From: Colin Watson <[email protected]>
Date: Wed, 3 Apr 2024 11:52:04 +0100
Subject: Add Autoconf cache variables for OSSH_CHECK_*FLAG_*
diff -Nru openssh-10.0p1/debian/patches/debian-banner.patch
openssh-10.0p1/debian/patches/debian-banner.patch
--- openssh-10.0p1/debian/patches/debian-banner.patch 2026-02-03
13:15:29.000000000 +0000
+++ openssh-10.0p1/debian/patches/debian-banner.patch 2026-03-27
18:28:37.000000000 +0000
@@ -1,4 +1,4 @@
-From 8f693762755211b20d50f7e0b963bd1c3955c4b7 Mon Sep 17 00:00:00 2001
+From d6fd5dcdde06aa1a4cab5b1f7a567db52bb2b167 Mon Sep 17 00:00:00 2001
From: Kees Cook <[email protected]>
Date: Sun, 9 Feb 2014 16:10:06 +0000
Subject: Add DebianBanner server configuration option
diff -Nru openssh-10.0p1/debian/patches/debian-config.patch
openssh-10.0p1/debian/patches/debian-config.patch
--- openssh-10.0p1/debian/patches/debian-config.patch 2026-02-03
13:15:29.000000000 +0000
+++ openssh-10.0p1/debian/patches/debian-config.patch 2026-03-27
18:28:37.000000000 +0000
@@ -1,4 +1,4 @@
-From 5fbe366def6557d221b9d955b7ab9bfbe88fd2b3 Mon Sep 17 00:00:00 2001
+From 338f3682c8f7d00f59f9f372b1277b974b2b0b1a Mon Sep 17 00:00:00 2001
From: Colin Watson <[email protected]>
Date: Sun, 9 Feb 2014 16:10:18 +0000
Subject: Various Debian-specific configuration changes
diff -Nru openssh-10.0p1/debian/patches/dnssec-sshfp.patch
openssh-10.0p1/debian/patches/dnssec-sshfp.patch
--- openssh-10.0p1/debian/patches/dnssec-sshfp.patch 2026-02-03
13:15:29.000000000 +0000
+++ openssh-10.0p1/debian/patches/dnssec-sshfp.patch 2026-03-27
18:28:37.000000000 +0000
@@ -1,4 +1,4 @@
-From 4b42694c1823a9eb69a972c53cf79ce289b2c810 Mon Sep 17 00:00:00 2001
+From 5bb05b304c54f31f2d5436af66f350ed53e1a8e7 Mon Sep 17 00:00:00 2001
From: Colin Watson <[email protected]>
Date: Sun, 9 Feb 2014 16:10:01 +0000
Subject: Force use of DNSSEC even if "options edns0" isn't in resolv.conf
diff -Nru openssh-10.0p1/debian/patches/doc-hash-tab-completion.patch
openssh-10.0p1/debian/patches/doc-hash-tab-completion.patch
--- openssh-10.0p1/debian/patches/doc-hash-tab-completion.patch 2026-02-03
13:15:29.000000000 +0000
+++ openssh-10.0p1/debian/patches/doc-hash-tab-completion.patch 2026-03-27
18:28:37.000000000 +0000
@@ -1,4 +1,4 @@
-From c3c79bbb6ba940f4587dddaf8e85b8f36e4a895e Mon Sep 17 00:00:00 2001
+From e543205e05bf22f8fc597501b2193ed96ec7baf4 Mon Sep 17 00:00:00 2001
From: Colin Watson <[email protected]>
Date: Sun, 9 Feb 2014 16:10:11 +0000
Subject: Document that HashKnownHosts may break tab-completion
diff -Nru openssh-10.0p1/debian/patches/fix-max-startups-tracking.patch
openssh-10.0p1/debian/patches/fix-max-startups-tracking.patch
--- openssh-10.0p1/debian/patches/fix-max-startups-tracking.patch
2026-02-03 13:15:29.000000000 +0000
+++ openssh-10.0p1/debian/patches/fix-max-startups-tracking.patch
2026-03-27 18:28:37.000000000 +0000
@@ -1,4 +1,4 @@
-From f9aa1828af2d4cb16246a9f98efb5239c094d8b3 Mon Sep 17 00:00:00 2001
+From 947d15f4b44cf7d4ce337c82ed7e1a167a4f4dc2 Mon Sep 17 00:00:00 2001
From: "[email protected]" <[email protected]>
Date: Fri, 4 Jul 2025 09:51:01 +0000
Subject: upstream: Fix mistracking of MaxStartups process exits in some
diff -Nru openssh-10.0p1/debian/patches/gnome-ssh-askpass2-icon.patch
openssh-10.0p1/debian/patches/gnome-ssh-askpass2-icon.patch
--- openssh-10.0p1/debian/patches/gnome-ssh-askpass2-icon.patch 2026-02-03
13:15:29.000000000 +0000
+++ openssh-10.0p1/debian/patches/gnome-ssh-askpass2-icon.patch 2026-03-27
18:28:37.000000000 +0000
@@ -1,4 +1,4 @@
-From 53cb8cc4c931b81db8a924be43e09ad6edca9808 Mon Sep 17 00:00:00 2001
+From 529e4a8b6b7e75739191391aa3f8242b5f1cf476 Mon Sep 17 00:00:00 2001
From: Vincent Untz <[email protected]>
Date: Sun, 9 Feb 2014 16:10:16 +0000
Subject: Give the ssh-askpass-gnome window a default icon
diff -Nru openssh-10.0p1/debian/patches/gssapi.patch
openssh-10.0p1/debian/patches/gssapi.patch
--- openssh-10.0p1/debian/patches/gssapi.patch 2026-02-03 13:15:29.000000000
+0000
+++ openssh-10.0p1/debian/patches/gssapi.patch 2026-03-27 18:28:37.000000000
+0000
@@ -1,4 +1,4 @@
-From 27126756ed15744cdf4d0cff1ee8dcfe567f7c8b Mon Sep 17 00:00:00 2001
+From 5d49824da13bf2bca6140d96b69b222fc90ddd2b Mon Sep 17 00:00:00 2001
From: Simon Wilkinson <[email protected]>
Date: Sun, 9 Feb 2014 16:09:48 +0000
Subject: GSSAPI key exchange support
@@ -21,7 +21,7 @@
Author: Jakub Jelen <[email protected]>
Origin: other, https://github.com/openssh-gsskex/openssh-gsskex/pull/23
Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1242
-Last-Updated: 2025-04-11
+Last-Updated: 2026-03-27
Patch-Name: gssapi.patch
---
@@ -42,7 +42,7 @@
kexdh.c | 10 +
kexgen.c | 2 +-
kexgssc.c | 602 ++++++++++++++++++++++++++++++++++++++++++++++++
- kexgsss.c | 478 ++++++++++++++++++++++++++++++++++++++
+ kexgsss.c | 479 ++++++++++++++++++++++++++++++++++++++
monitor.c | 139 ++++++++++-
monitor.h | 2 +
monitor_wrap.c | 57 ++++-
@@ -66,7 +66,7 @@
sshd_config.5 | 30 +++
sshkey.c | 8 +-
sshkey.h | 1 +
- 41 files changed, 2671 insertions(+), 74 deletions(-)
+ 41 files changed, 2672 insertions(+), 74 deletions(-)
create mode 100644 kexgssc.c
create mode 100644 kexgsss.c
create mode 100644 ssh-null.c
@@ -1422,7 +1422,7 @@
const struct sshbuf *client_version,
diff --git a/kexgssc.c b/kexgssc.c
new file mode 100644
-index 000000000..2da431428
+index 000000000..1bcf7cae9
--- /dev/null
+++ b/kexgssc.c
@@ -0,0 +1,602 @@
@@ -1480,8 +1480,8 @@
+{
+ struct kex *kex = ssh->kex;
+ gss_buffer_desc send_tok = GSS_C_EMPTY_BUFFER,
-+ recv_tok = GSS_C_EMPTY_BUFFER,
-+ gssbuf, msg_tok = GSS_C_EMPTY_BUFFER, *token_ptr;
++ recv_tok = GSS_C_EMPTY_BUFFER, gssbuf = GSS_C_EMPTY_BUFFER,
++ msg_tok = GSS_C_EMPTY_BUFFER, *token_ptr;
+ Gssctxt *ctxt;
+ OM_uint32 maj_status, min_status, ret_flags;
+ struct sshbuf *server_blob = NULL;
@@ -1626,11 +1626,11 @@
+ fatal("Failed to read token:
%s", ssh_err(r));
+ /* If we're already complete - protocol
error */
+ if (maj_status == GSS_S_COMPLETE)
-+ sshpkt_disconnect(ssh,
"Protocol error: received token when complete");
++ ssh_packet_disconnect(ssh,
"Protocol error: received token when complete");
+ } else {
+ /* No token included */
+ if (maj_status != GSS_S_COMPLETE)
-+ sshpkt_disconnect(ssh,
"Protocol error: did not receive final token");
++ ssh_packet_disconnect(ssh,
"Protocol error: did not receive final token");
+ }
+ if ((r = sshpkt_get_end(ssh)) != 0) {
+ fatal("Expecting end of packet.");
@@ -1646,7 +1646,7 @@
+ fatal("sshpkt_get failed: %s",
ssh_err(r));
+ fatal("GSSAPI Error: \n%.400s", msg);
+ default:
-+ sshpkt_disconnect(ssh, "Protocol error: didn't
expect packet type %d",
++ ssh_packet_disconnect(ssh, "Protocol error:
didn't expect packet type %d",
+ type);
+ }
+ token_ptr = &recv_tok;
@@ -1719,7 +1719,7 @@
+
+ /* Verify that the hash matches the MIC we just got. */
+ if (GSS_ERROR(ssh_gssapi_checkmic(ctxt, &gssbuf, &msg_tok)))
-+ sshpkt_disconnect(ssh, "Hash's MIC didn't verify");
++ ssh_packet_disconnect(ssh, "Hash's MIC didn't verify");
+
+ gss_release_buffer(&min_status, &msg_tok);
+
@@ -1751,8 +1751,8 @@
+{
+ struct kex *kex = ssh->kex;
+ gss_buffer_desc send_tok = GSS_C_EMPTY_BUFFER,
-+ recv_tok = GSS_C_EMPTY_BUFFER, gssbuf,
-+ msg_tok = GSS_C_EMPTY_BUFFER, *token_ptr;
++ recv_tok = GSS_C_EMPTY_BUFFER, gssbuf = GSS_C_EMPTY_BUFFER,
++ msg_tok = GSS_C_EMPTY_BUFFER, *token_ptr;
+ Gssctxt *ctxt;
+ OM_uint32 maj_status, min_status, ret_flags;
+ struct sshbuf *shared_secret = NULL;
@@ -1921,11 +1921,11 @@
+ fatal("sshpkt failed: %s",
ssh_err(r));
+ /* If we're already complete - protocol
error */
+ if (maj_status == GSS_S_COMPLETE)
-+ sshpkt_disconnect(ssh,
"Protocol error: received token when complete");
++ ssh_packet_disconnect(ssh,
"Protocol error: received token when complete");
+ } else {
+ /* No token included */
+ if (maj_status != GSS_S_COMPLETE)
-+ sshpkt_disconnect(ssh,
"Protocol error: did not receive final token");
++ ssh_packet_disconnect(ssh,
"Protocol error: did not receive final token");
+ }
+ break;
+ case SSH2_MSG_KEXGSS_ERROR:
@@ -1938,7 +1938,7 @@
+ fatal("sshpkt failed: %s", ssh_err(r));
+ fatal("GSSAPI Error: \n%.400s", msg);
+ default:
-+ sshpkt_disconnect(ssh, "Protocol error: didn't
expect packet type %d",
++ ssh_packet_disconnect(ssh, "Protocol error:
didn't expect packet type %d",
+ type);
+ }
+ token_ptr = &recv_tok;
@@ -2000,7 +2000,7 @@
+
+ /* Verify that the hash matches the MIC we just got. */
+ if (GSS_ERROR(ssh_gssapi_checkmic(ctxt, &gssbuf, &msg_tok)))
-+ sshpkt_disconnect(ssh, "Hash's MIC didn't verify");
++ ssh_packet_disconnect(ssh, "Hash's MIC didn't verify");
+
+ gss_release_buffer(&min_status, &msg_tok);
+
@@ -2030,10 +2030,10 @@
+#endif /* defined(GSSAPI) && defined(WITH_OPENSSL) */
diff --git a/kexgsss.c b/kexgsss.c
new file mode 100644
-index 000000000..1fd1d1e48
+index 000000000..b3d6d9d87
--- /dev/null
+++ b/kexgsss.c
-@@ -0,0 +1,478 @@
+@@ -0,0 +1,479 @@
+/*
+ * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved.
+ *
@@ -2100,7 +2100,8 @@
+ */
+
+ OM_uint32 ret_flags = 0;
-+ gss_buffer_desc gssbuf, recv_tok, msg_tok;
++ gss_buffer_desc gssbuf = GSS_C_EMPTY_BUFFER,
++ recv_tok = GSS_C_EMPTY_BUFFER, msg_tok = GSS_C_EMPTY_BUFFER;
+ gss_buffer_desc send_tok = GSS_C_EMPTY_BUFFER;
+ Gssctxt *ctxt = NULL;
+ struct sshbuf *shared_secret = NULL;
@@ -2179,7 +2180,7 @@
+ fatal("sshpkt failed: %s", ssh_err(r));
+ break;
+ default:
-+ sshpkt_disconnect(ssh,
++ ssh_packet_disconnect(ssh,
+ "Protocol error: didn't expect packet type %d",
+ type);
+ }
@@ -2295,7 +2296,8 @@
+ */
+
+ OM_uint32 ret_flags = 0;
-+ gss_buffer_desc gssbuf, recv_tok, msg_tok;
++ gss_buffer_desc gssbuf = GSS_C_EMPTY_BUFFER,
++ recv_tok = GSS_C_EMPTY_BUFFER, msg_tok = GSS_C_EMPTY_BUFFER;
+ gss_buffer_desc send_tok = GSS_C_EMPTY_BUFFER;
+ Gssctxt *ctxt = NULL;
+ struct sshbuf *shared_secret = NULL;
@@ -2356,8 +2358,7 @@
+ min, nbits, max);
+ kex->dh = mm_choose_dh(min, nbits, max);
+ if (kex->dh == NULL) {
-+ sshpkt_disconnect(ssh, "Protocol error: no matching group
found");
-+ fatal("Protocol error: no matching group found");
++ ssh_packet_disconnect(ssh, "Protocol error: no matching group
found");
+ }
+
+ DH_get0_pqg(kex->dh, &dh_p, NULL, &dh_g);
@@ -2396,7 +2397,7 @@
+ fatal("sshpkt failed: %s", ssh_err(r));
+ break;
+ default:
-+ sshpkt_disconnect(ssh,
++ ssh_packet_disconnect(ssh,
+ "Protocol error: didn't expect packet type %d",
+ type);
+ }
diff -Nru openssh-10.0p1/debian/patches/keepalive-extensions.patch
openssh-10.0p1/debian/patches/keepalive-extensions.patch
--- openssh-10.0p1/debian/patches/keepalive-extensions.patch 2026-02-03
13:15:29.000000000 +0000
+++ openssh-10.0p1/debian/patches/keepalive-extensions.patch 2026-03-27
18:28:37.000000000 +0000
@@ -1,4 +1,4 @@
-From d3fc1f4d6bf0c2a857af1d5f90e7a0b061cdb490 Mon Sep 17 00:00:00 2001
+From 38ff54854c66202fb6aa027297388d16a30a410c Mon Sep 17 00:00:00 2001
From: Richard Kettlewell <[email protected]>
Date: Sun, 9 Feb 2014 16:09:52 +0000
Subject: Various keepalive extensions
diff -Nru openssh-10.0p1/debian/patches/mention-ssh-keygen-on-keychange.patch
openssh-10.0p1/debian/patches/mention-ssh-keygen-on-keychange.patch
--- openssh-10.0p1/debian/patches/mention-ssh-keygen-on-keychange.patch
2026-02-03 13:15:29.000000000 +0000
+++ openssh-10.0p1/debian/patches/mention-ssh-keygen-on-keychange.patch
2026-03-27 18:28:37.000000000 +0000
@@ -1,4 +1,4 @@
-From 4bf6a2acf9290928d4393c3d3f219074c9c7eb3c Mon Sep 17 00:00:00 2001
+From 7d939cbba308f7fd89681e80a2fdf3a0fdbd1615 Mon Sep 17 00:00:00 2001
From: Scott Moser <[email protected]>
Date: Sun, 9 Feb 2014 16:10:03 +0000
Subject: Mention ssh-keygen in ssh fingerprint changed warning
diff -Nru openssh-10.0p1/debian/patches/no-openssl-version-status.patch
openssh-10.0p1/debian/patches/no-openssl-version-status.patch
--- openssh-10.0p1/debian/patches/no-openssl-version-status.patch
2026-02-03 13:15:29.000000000 +0000
+++ openssh-10.0p1/debian/patches/no-openssl-version-status.patch
2026-03-27 18:28:37.000000000 +0000
@@ -1,4 +1,4 @@
-From bcb6fbcb58e6256516d5a63e6c27c3dd880373c3 Mon Sep 17 00:00:00 2001
+From 3aea5667e9443404363720a955990f9f4f50e0e5 Mon Sep 17 00:00:00 2001
From: Kurt Roeckx <[email protected]>
Date: Sun, 9 Feb 2014 16:10:14 +0000
Subject: Don't check the status field of the OpenSSL version
diff -Nru openssh-10.0p1/debian/patches/openbsd-docs.patch
openssh-10.0p1/debian/patches/openbsd-docs.patch
--- openssh-10.0p1/debian/patches/openbsd-docs.patch 2026-02-03
13:15:29.000000000 +0000
+++ openssh-10.0p1/debian/patches/openbsd-docs.patch 2026-03-27
18:28:37.000000000 +0000
@@ -1,4 +1,4 @@
-From f44687fdc6dcf48a38f32693d7e28034d4961d0d Mon Sep 17 00:00:00 2001
+From cc76bfc84adb27c0c4faf996408a698caba0f07f Mon Sep 17 00:00:00 2001
From: Colin Watson <[email protected]>
Date: Sun, 9 Feb 2014 16:10:09 +0000
Subject: Adjust various OpenBSD-specific references in manual pages
diff -Nru openssh-10.0p1/debian/patches/package-versioning.patch
openssh-10.0p1/debian/patches/package-versioning.patch
--- openssh-10.0p1/debian/patches/package-versioning.patch 2026-02-03
13:15:29.000000000 +0000
+++ openssh-10.0p1/debian/patches/package-versioning.patch 2026-03-27
18:28:37.000000000 +0000
@@ -1,4 +1,4 @@
-From fc17470467826ef2bf50c930a45f6db43c2b5ba3 Mon Sep 17 00:00:00 2001
+From 7cd59302d8fa7eeb3de5fdbefc09a023d0e656d6 Mon Sep 17 00:00:00 2001
From: Matthew Vernon <[email protected]>
Date: Sun, 9 Feb 2014 16:10:05 +0000
Subject: Include the Debian version in our identification
diff -Nru openssh-10.0p1/debian/patches/pam-avoid-unknown-host.patch
openssh-10.0p1/debian/patches/pam-avoid-unknown-host.patch
--- openssh-10.0p1/debian/patches/pam-avoid-unknown-host.patch 2026-02-03
13:15:29.000000000 +0000
+++ openssh-10.0p1/debian/patches/pam-avoid-unknown-host.patch 2026-03-27
18:28:37.000000000 +0000
@@ -1,4 +1,4 @@
-From f5c89caec93130da905a95602cf36a4e25f2303e Mon Sep 17 00:00:00 2001
+From ccbb3efb1598cde11bb76d6045cd73c8f1773fd0 Mon Sep 17 00:00:00 2001
From: Daan De Meyer <[email protected]>
Date: Mon, 20 Mar 2023 20:22:14 +0100
Subject: Only set PAM_RHOST if the remote host is not "UNKNOWN"
diff -Nru openssh-10.0p1/debian/patches/regress-conch-dev-zero.patch
openssh-10.0p1/debian/patches/regress-conch-dev-zero.patch
--- openssh-10.0p1/debian/patches/regress-conch-dev-zero.patch 2026-02-03
13:15:29.000000000 +0000
+++ openssh-10.0p1/debian/patches/regress-conch-dev-zero.patch 2026-03-27
18:28:37.000000000 +0000
@@ -1,4 +1,4 @@
-From 93b2730229d7385fe79d2136c5269e5a7fd49795 Mon Sep 17 00:00:00 2001
+From 9db329d6764879915981e5ace3acd02534922b1d Mon Sep 17 00:00:00 2001
From: Colin Watson <[email protected]>
Date: Sun, 31 Mar 2024 00:24:11 +0000
Subject: regress: Redirect conch stdin from /dev/zero
diff -Nru openssh-10.0p1/debian/patches/restore-authorized_keys2.patch
openssh-10.0p1/debian/patches/restore-authorized_keys2.patch
--- openssh-10.0p1/debian/patches/restore-authorized_keys2.patch
2026-02-03 13:15:29.000000000 +0000
+++ openssh-10.0p1/debian/patches/restore-authorized_keys2.patch
2026-03-27 18:28:37.000000000 +0000
@@ -1,4 +1,4 @@
-From 379b97fb24160f38bcd5f3be5737eac848a04af9 Mon Sep 17 00:00:00 2001
+From 3b1b1445b4963871731f94d473ad039585f7c134 Mon Sep 17 00:00:00 2001
From: Colin Watson <[email protected]>
Date: Sun, 5 Mar 2017 02:02:11 +0000
Subject: Restore reading authorized_keys2 by default
diff -Nru openssh-10.0p1/debian/patches/restore-tcp-wrappers.patch
openssh-10.0p1/debian/patches/restore-tcp-wrappers.patch
--- openssh-10.0p1/debian/patches/restore-tcp-wrappers.patch 2026-02-03
13:15:29.000000000 +0000
+++ openssh-10.0p1/debian/patches/restore-tcp-wrappers.patch 2026-03-27
18:28:37.000000000 +0000
@@ -1,4 +1,4 @@
-From 5f13fe22c2a9771dbcd12e2e9a1b2f905bcad22a Mon Sep 17 00:00:00 2001
+From 840b02b43ecdeb1a062c487798a26c4b1ca41ac6 Mon Sep 17 00:00:00 2001
From: Colin Watson <[email protected]>
Date: Tue, 7 Oct 2014 13:22:41 +0100
Subject: Restore TCP wrappers support
diff -Nru openssh-10.0p1/debian/patches/revert-ipqos-defaults.patch
openssh-10.0p1/debian/patches/revert-ipqos-defaults.patch
--- openssh-10.0p1/debian/patches/revert-ipqos-defaults.patch 2026-02-03
13:15:29.000000000 +0000
+++ openssh-10.0p1/debian/patches/revert-ipqos-defaults.patch 2026-03-27
18:28:37.000000000 +0000
@@ -1,4 +1,4 @@
-From c0165ba64a76bf4d962d6d9a500299c2696e150d Mon Sep 17 00:00:00 2001
+From 88dc4a66e9c8fd350152080713f33e26fd7df202 Mon Sep 17 00:00:00 2001
From: Colin Watson <[email protected]>
Date: Mon, 8 Apr 2019 10:46:29 +0100
Subject: Revert "upstream: Update default IPQoS in ssh(1), sshd(8) to DSCP
diff -Nru openssh-10.0p1/debian/patches/scp-quoting.patch
openssh-10.0p1/debian/patches/scp-quoting.patch
--- openssh-10.0p1/debian/patches/scp-quoting.patch 2026-02-03
13:15:29.000000000 +0000
+++ openssh-10.0p1/debian/patches/scp-quoting.patch 2026-03-27
18:28:37.000000000 +0000
@@ -1,4 +1,4 @@
-From 999eab9bf1499834341de56a71d5457ae2938840 Mon Sep 17 00:00:00 2001
+From 65ac1c47a87548ec1f651a70e5c5f869932f22c8 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Nicolas=20Valc=C3=A1rcel?= <[email protected]>
Date: Sun, 9 Feb 2014 16:09:59 +0000
Subject: Adjust scp quoting in verbose mode
diff -Nru openssh-10.0p1/debian/patches/selinux-role.patch
openssh-10.0p1/debian/patches/selinux-role.patch
--- openssh-10.0p1/debian/patches/selinux-role.patch 2026-02-03
13:15:29.000000000 +0000
+++ openssh-10.0p1/debian/patches/selinux-role.patch 2026-03-27
18:28:37.000000000 +0000
@@ -1,4 +1,4 @@
-From ad6e66e766ecc3a76c62c6daf81ebf19432713cb Mon Sep 17 00:00:00 2001
+From 07862c90f7824e24d59ea65ffcb8dbba5f84315b Mon Sep 17 00:00:00 2001
From: Manoj Srivastava <[email protected]>
Date: Sun, 9 Feb 2014 16:09:49 +0000
Subject: Handle SELinux authorisation roles
diff -Nru openssh-10.0p1/debian/patches/shell-path.patch
openssh-10.0p1/debian/patches/shell-path.patch
--- openssh-10.0p1/debian/patches/shell-path.patch 2026-02-03
13:15:29.000000000 +0000
+++ openssh-10.0p1/debian/patches/shell-path.patch 2026-03-27
18:28:37.000000000 +0000
@@ -1,4 +1,4 @@
-From aff1a94c2716097f669efd7d59b257f50232c01e Mon Sep 17 00:00:00 2001
+From 1287ec850f54ee03ecda93da92c8bcb478d5d977 Mon Sep 17 00:00:00 2001
From: Colin Watson <[email protected]>
Date: Sun, 9 Feb 2014 16:10:00 +0000
Subject: Look for $SHELL on the path for ProxyCommand/LocalCommand
diff -Nru openssh-10.0p1/debian/patches/skip-utimensat-test-on-zfs.patch
openssh-10.0p1/debian/patches/skip-utimensat-test-on-zfs.patch
--- openssh-10.0p1/debian/patches/skip-utimensat-test-on-zfs.patch
2026-02-03 13:15:29.000000000 +0000
+++ openssh-10.0p1/debian/patches/skip-utimensat-test-on-zfs.patch
2026-03-27 18:28:37.000000000 +0000
@@ -1,4 +1,4 @@
-From 44616edf6f926b9fec6a322c755fb1bb8c90e7fe Mon Sep 17 00:00:00 2001
+From 3d83f47df49d9b38dd014ef87089b14b42060250 Mon Sep 17 00:00:00 2001
From: Colin Watson <[email protected]>
Date: Mon, 11 Mar 2024 16:24:49 +0000
Subject: Skip utimensat test on ZFS
diff -Nru openssh-10.0p1/debian/patches/ssh-agent-setgid.patch
openssh-10.0p1/debian/patches/ssh-agent-setgid.patch
--- openssh-10.0p1/debian/patches/ssh-agent-setgid.patch 2026-02-03
13:15:29.000000000 +0000
+++ openssh-10.0p1/debian/patches/ssh-agent-setgid.patch 2026-03-27
18:28:37.000000000 +0000
@@ -1,4 +1,4 @@
-From 8b13bba78cbebca9f74c89f6d35c716b871f9598 Mon Sep 17 00:00:00 2001
+From 386a2152594d6e53db899af4bdb2ea568e6c0065 Mon Sep 17 00:00:00 2001
From: Colin Watson <[email protected]>
Date: Sun, 9 Feb 2014 16:10:13 +0000
Subject: Document consequences of ssh-agent being setgid in ssh-agent(1)
diff -Nru openssh-10.0p1/debian/patches/ssh-argv0.patch
openssh-10.0p1/debian/patches/ssh-argv0.patch
--- openssh-10.0p1/debian/patches/ssh-argv0.patch 2026-02-03
13:15:29.000000000 +0000
+++ openssh-10.0p1/debian/patches/ssh-argv0.patch 2026-03-27
18:28:37.000000000 +0000
@@ -1,4 +1,4 @@
-From fbda96f6f98870a8445019875f8783243e53ed01 Mon Sep 17 00:00:00 2001
+From 415dea4eae964c38608df1c06e4ad3a6a5f746e0 Mon Sep 17 00:00:00 2001
From: Colin Watson <[email protected]>
Date: Sun, 9 Feb 2014 16:10:10 +0000
Subject: ssh(1): Refer to ssh-argv0(1)
diff -Nru openssh-10.0p1/debian/patches/ssh-vulnkey-compat.patch
openssh-10.0p1/debian/patches/ssh-vulnkey-compat.patch
--- openssh-10.0p1/debian/patches/ssh-vulnkey-compat.patch 2026-02-03
13:15:29.000000000 +0000
+++ openssh-10.0p1/debian/patches/ssh-vulnkey-compat.patch 2026-03-27
18:28:37.000000000 +0000
@@ -1,4 +1,4 @@
-From d0cbcbf53d5f0d4457b47a09af06aac1f483e712 Mon Sep 17 00:00:00 2001
+From 3e3094331c64231cc7b4f92d01e72550730c5b78 Mon Sep 17 00:00:00 2001
From: Colin Watson <[email protected]>
Date: Sun, 9 Feb 2014 16:09:50 +0000
Subject: Accept obsolete ssh-vulnkey configuration options
diff -Nru openssh-10.0p1/debian/patches/syslog-level-silent.patch
openssh-10.0p1/debian/patches/syslog-level-silent.patch
--- openssh-10.0p1/debian/patches/syslog-level-silent.patch 2026-02-03
13:15:29.000000000 +0000
+++ openssh-10.0p1/debian/patches/syslog-level-silent.patch 2026-03-27
18:28:37.000000000 +0000
@@ -1,4 +1,4 @@
-From 098e60e62af180a1e2e2a7b0587da696cc34b92b Mon Sep 17 00:00:00 2001
+From 1b733e33ad1ea028d9840eef53da64b7316461cf Mon Sep 17 00:00:00 2001
From: Natalie Amery <[email protected]>
Date: Sun, 9 Feb 2014 16:09:54 +0000
Subject: "LogLevel SILENT" compatibility
diff -Nru openssh-10.0p1/debian/patches/systemd-socket-activation.patch
openssh-10.0p1/debian/patches/systemd-socket-activation.patch
--- openssh-10.0p1/debian/patches/systemd-socket-activation.patch
2026-02-03 13:15:29.000000000 +0000
+++ openssh-10.0p1/debian/patches/systemd-socket-activation.patch
2026-03-27 18:28:37.000000000 +0000
@@ -1,4 +1,4 @@
-From aa7d7ffcefa83f6a524da54a10cd9026b6012695 Mon Sep 17 00:00:00 2001
+From 7f825ab75842dd91ad2ac00acabc5ea0350c6794 Mon Sep 17 00:00:00 2001
From: Steve Langasek <[email protected]>
Date: Thu, 1 Sep 2022 16:03:37 +0100
Subject: Support systemd socket activation
diff -Nru openssh-10.0p1/debian/patches/user-group-modes.patch
openssh-10.0p1/debian/patches/user-group-modes.patch
--- openssh-10.0p1/debian/patches/user-group-modes.patch 2026-02-03
13:15:29.000000000 +0000
+++ openssh-10.0p1/debian/patches/user-group-modes.patch 2026-03-27
18:28:37.000000000 +0000
@@ -1,4 +1,4 @@
-From 69d17a6efb4ca9c28fdc700154affb67d696a4ee Mon Sep 17 00:00:00 2001
+From 563f24fe1c7dda0189679de9a4e55cd5d9d08c34 Mon Sep 17 00:00:00 2001
From: Colin Watson <[email protected]>
Date: Sun, 9 Feb 2014 16:09:58 +0000
Subject: Allow harmless group-writability
