diff options
| author | Ashish SHUKLA <ashish.is@lostca.se> | 2026-04-05 21:37:06 +0200 |
|---|---|---|
| committer | Andreas Enge <andreas@enge.fr> | 2026-04-23 22:47:10 +0200 |
| commit | f8281945549008ef8b5b1932990716ff59d9afbf (patch) | |
| tree | 0f5ae23033d9441847ef30724d53c5dc8569f3ba /gnu/packages/python.scm | |
| parent | a50c44187acf4267824f945eec5e0fc2d47aadfa (diff) | |
gnu: openssh: Update to 10.3p1 [security-fixes].
Release notes since 10.2p1 (2025-10-10):
- 10.3p1 (2026-04-02)
<https://www.openssh.org/txt/release-10.3>.
Contains fixes for:
CVE-2026-35385: A file downloaded by scp may be installed setuid or setgid, an
outcome contrary to some users' expectations, if the download is
performed as root with -O (legacy scp protocol) and without -p
(preserve mode).
CVE-2026-35386: Command execution can occur via shell metacharacters in a
username within a command line. This requires a scenario where
the username on the command line is untrusted, and also requires
a non-default configurations of % in ssh_config.
CVE-2026-35387: OpenSSH can use unintended ECDSA algorithms. Listing of any
ECDSA algorithm in PubkeyAcceptedAlgorithms or
HostbasedAcceptedAlgorithms is misinterpreted to mean all ECDSA
algorithms.
CVE-2026-35388: OpenSSH before omits connection multiplexing confirmation for
proxy-mode multiplexing sessions.
CVE-2026-35414: OpenSSH mishandles the authorized_keys principals option in
uncommon scenarios involving a principals list in conjunction
with a Certificate Authority that makes certain use of comma
characters.
* gnu/packages/ssh.scm (openssh): Update to 10.3p1.
Merges: https://codeberg.org/guix/guix/pulls/7695
Change-Id: I9e90c3ef02f567d0f5b2485c4e0bcfaa1a1f31c8
Reviewed-by: Nguyễn Gia Phong <cnx@loang.net>
Reviewed-by: Jonas Meeuws <jonas.meeuws@gmail.com>
Reviewed-by: Cayetano Santos <csantosb@inventati.org>
Signed-off-by: Sharlatan Hellseher <sharlatanus@gmail.com>
Diffstat (limited to 'gnu/packages/python.scm')
0 files changed, 0 insertions, 0 deletions
