Bug#1117529: marked as done (openssh: CVE-2025-61984)

To: Colin Watson <cjwatson@debian.org>
Subject: Bug#1117529: marked as done (openssh: CVE-2025-61984)
From: "Debian Bug Tracking System" <owner@bugs.debian.org>
Date: Tue, 07 Oct 2025 21:25:05 +0000
Message-id: <[🔎] handler.1117529.D1117529.17598721813396834.ackdone@bugs.debian.org>
Reply-to: 1117529@bugs.debian.org
References: <E1v6F99-008BtO-2s@fasolo.debian.org> <[🔎] 175982342872.94514.12644459819644824562.reportbug@eldamar.lan>

Your message dated Tue, 07 Oct 2025 21:22:59 +0000
with message-id <E1v6F99-008BtO-2s@fasolo.debian.org>
and subject line Bug#1117529: fixed in openssh 1:10.1p1-1
has caused the Debian Bug report #1117529,
regarding openssh: CVE-2025-61984
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1117529: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1117529
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: openssh: CVE-2025-61984
From: Salvatore Bonaccorso <carnil@debian.org>
Date: Tue, 07 Oct 2025 09:50:28 +0200
Message-id: <[🔎] 175982342872.94514.12644459819644824562.reportbug@eldamar.lan>

Source: openssh
Version: 1:10.0p1-8
Severity: important
Tags: security upstream
X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>

Hi,

The following vulnerability was published for openssh.

CVE-2025-61984[0]:
| ssh in OpenSSH before 10.1 allows control characters in usernames
| that originate from certain possibly untrusted sources, potentially
| leading to code execution when a ProxyCommand is used. The untrusted
| sources are the command line and %-sequence expansion of a
| configuration file. (A configuration file that provides a complete
| literal username is not categorized as an untrusted source.)

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2025-61984
    https://www.cve.org/CVERecord?id=CVE-2025-61984

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

--- End Message ---

--- Begin Message ---

To: 1117529-close@bugs.debian.org
Subject: Bug#1117529: fixed in openssh 1:10.1p1-1
From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
Date: Tue, 07 Oct 2025 21:22:59 +0000
Message-id: <E1v6F99-008BtO-2s@fasolo.debian.org>
Reply-to: Colin Watson <cjwatson@debian.org>

Source: openssh
Source-Version: 1:10.1p1-1
Done: Colin Watson <cjwatson@debian.org>

We believe that the bug you reported is fixed in the latest version of
openssh, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1117529@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Colin Watson <cjwatson@debian.org> (supplier of updated openssh package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Tue, 07 Oct 2025 22:07:19 +0100
Source: openssh
Architecture: source
Version: 1:10.1p1-1
Distribution: unstable
Urgency: medium
Maintainer: Debian OpenSSH Maintainers <debian-ssh@lists.debian.org>
Changed-By: Colin Watson <cjwatson@debian.org>
Closes: 1095922 1111446 1117529 1117530
Changes:
 openssh (1:10.1p1-1) unstable; urgency=medium
 .
   [ Allison Karlitskaya ]
   * sshd@.service: Support ephemeral keys from VM/container hosts.
 .
   [ Colin Watson ]
   * New upstream release:
     - ssh(1): add a warning when the connection negotiates a non-post
       quantum key agreement algorithm.
     - ssh(1), sshd(8): major changes to handling of DSCP marking/IPQoS: by
       default, interactive traffic is assigned to the EF (Expedited
       Forwarding) class, while non-interactive traffic uses the operating
       system default DSCP marking.
     - ssh(1), sshd(8): deprecate support for IPv4 type-of-service (ToS)
       keywords in the IPQoS configuration directive.
     - ssh-add(1): when adding certificates to an agent, set the expiry to
       the certificate expiry time plus a short (5 min) grace period.
     - All: remove experimental support for XMSS keys.
     - ssh-agent(1), sshd(8): move agent listener sockets from /tmp to under
       ~/.ssh/agent for both ssh-agent(1) and forwarded sockets in sshd(8).
     - CVE-2025-61984: ssh(1): disallow control characters in usernames
       passed via the commandline or expanded using %-sequences from the
       configuration file (closes: #1117529),
     - CVE-2025-61985: ssh(1): disallow \0 characters in ssh:// URIs (closes:
       #1117530).
     - ssh(1), sshd(8): add SIGINFO handlers to log active channel and
       session information.
     - sshd(8): when refusing a certificate for user authentication, log
       enough information to identify the certificate in addition to the
       reason why it was being denied. Makes debugging certificate
       authorisation problems a bit easier.
     - ssh(1), ssh-agent(1): support ed25519 keys hosted on PKCS#11 tokens.
     - ssh(1): add an ssh_config(5) RefuseConnection option that, when
       encountered while processing an active section in a configuration,
       terminates ssh(1) with an error message that contains the argument to
       the option.
     - sshd(8): make the X11 display number check relative to
       X11DisplayOffset. This will allow people to use X11DisplayOffset to
       configure much higher port ranges if they really want, while not
       changing the default behaviour.
     - ssh(1): fix delay on X client startup when ObscureKeystrokeTiming is
       enabled.
     - sshd(8): increase the maximum size of the supported configuration from
       256KB to 4MB, which ought to be enough for anybody. Fail early and
       visibly when this limit is breached.
     - sftp(1): during sftp uploads, avoid a condition where a failed write
       could be ignored if a subsequent write succeeded. This is unlikely but
       technically possible because sftp servers are allowed to reorder
       requests.
     - sshd(8): avoid a race condition when the sshd-auth process exits that
       could cause a spurious error message to be logged.
     - sshd(8): log at level INFO when PerSourcePenalties actually blocks
       access to a source address range. Previously this was logged at level
       VERBOSE, which hid enforcement actions under default config settings.
     - sshd(8): Make the MaxStartups and PerSourceNetBlockSize options
       first-match-wins as advertised.
     - ssh(1): fix an incorrect return value check in the local forward
       cancellation path that would cause failed cancellations not to be
       logged.
     - sshd(8): make "Match !final" not trigger a second parsing pass of
       ssh_config (unless hostname canonicalisation or a separate "Match
       final" does).
     - ssh(1): better debug diagnostics when loading keys. Will now list key
       fingerprint and algorithm (not just algorithm number) as well as
       making it explicit which keys didn't load.
     - All: fix a number of memory leaks found by LeakSanitizer, Coverity and
       manual inspection.
     - sshd(8): Output the current name for PermitRootLogin's
       "prohibit-password" in sshd -T instead of its deprecated alias
       "without-password" (closes: #1095922).
     - ssh(1): make writing known_hosts lines more atomic by writing the
       entire line in one operation and using unbuffered stdio.
     - sshd(8): check the username didn't change during the PAM transactions.
     - sshd(8): don't log audit messages with UNKNOWN hostname to avoid slow
       DNS lookups in the audit subsystem.
     - All: when making a copy of struct passwd, ensure struct fields are
       non-NULL.
     - sshd(8): handle futex_time64 properly in seccomp sandbox.
     - Add contrib/gnome-ssh-askpass4 for GNOME 40+ using the GCR API.
     - ssh-agent(1): exit 0 from SIGTERM under systemd socket-activation,
       preventing a graceful shutdown of an agent via systemd from
       incorrectly marking the service as "failed".
   * Drop patches:
     - no-openssl-version-status.patch: Mostly applied upstream; the rest
       only applied to OpenSSL < 3, which isn't relevant to current Debian
       releases.
     - revert-ipqos-defaults.patch: This new upstream release reworks IPQoS,
       so let's see how that works in Debian (closes: #1111446).
   * debian/run-tests: Fix path to dropbear.
Checksums-Sha1:
 30e42189cb7b9c75cddb4523baa1d53bc2228e53 3500 openssh_10.1p1-1.dsc
 7fd17b99d1beffb47cd380d64079e920bb0bd91f 1972831 openssh_10.1p1.orig.tar.gz
 3067baf706cbf8497a00d40113eb6c246a5db569 833 openssh_10.1p1.orig.tar.gz.asc
 3965f1ff2d72d73966fa8fa517a996a7afcbcad7 199172 openssh_10.1p1-1.debian.tar.xz
Checksums-Sha256:
 b9f358bcbe0e780865dbb5733be37f68b72d4c8574a932dac389f98352af6a7c 3500 openssh_10.1p1-1.dsc
 b9fc7a2b82579467a6f2f43e4a81c8e1dfda614ddb4f9b255aafd7020bbf0758 1972831 openssh_10.1p1.orig.tar.gz
 a96151c3f5d5b4b6278a4f5b29861c1308c3a0b96c9acfcec5aaeef0bb84ea92 833 openssh_10.1p1.orig.tar.gz.asc
 f4b7f3687e1139757f0e0dbee03c3627421444caa68eeacc6df098d6e3c17d59 199172 openssh_10.1p1-1.debian.tar.xz
Files:
 a276fcc4f45b9aedc428479a0d71369d 3500 net standard openssh_10.1p1-1.dsc
 80dd9bb00a86519934710d05903fdf07 1972831 net standard openssh_10.1p1.orig.tar.gz
 97c2579d423ce6397bba2eee504a3ec1 833 net standard openssh_10.1p1.orig.tar.gz.asc
 631d8f12ef92841a9004e144141f1d96 199172 net standard openssh_10.1p1-1.debian.tar.xz

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEErApP8SYRtvzPAcEROTWH2X2GUAsFAmjlgTcACgkQOTWH2X2G
UAsSRBAArMXDacvEfXFuCAy5bFCatDzUGNF9TqOnLYR2P51bGipCjIUbcnCwPhhN
7KmvVp7nQ0lzTl6C5BuQ5t658feb9Msnd+/PGboeIvfl8oy5Wul8zyf9EBHK9yIt
78psiPXv+3q21yvV2uJzKpWt3LDaE2RcVYqBYKehgIpDCKSVTk6OH0FnZIsIAKsR
nY6yG3IBfxjFP4iGkV3TuzrWLhrdrFHaPLWuDB2bxItmkhhKZL+JEuu64KwtLkIa
eoR/81lDOsyxTZuQDuLFkUv2c8TGbzagdXrblDay344fIYsrlzS8IFvwy5n1Vo1F
8KWwV2mDB59Adn85FANgYdymQzitDxKkqqWNn+f9SXd85HbJgTykVOwA3sbwMouC
DP0IWdchoTl8fWytTTHWyMuNDg7s9w/CzRffhpco9Ura74qPPXNr7yG6bFhFk/cR
UQzbzaz5wLnQlT9Nj9kupriKyf1CMeoPk9htZ+m+3jbBagA4KFA3sWWlgwF+nQig
cjAzCC7vlk+A/5cZKPDrN+OIMMRQnMbPbC22bW2W3aXyABeh5y9brqHbNtE/TccG
DrOYY/zOcQWySRxpRqPu6k3Q5pToinLJRC1CipcX1Xkrv89JA4NM1e9KdODzPPu3
X6bXUfYXk6BGJaNr7JQh0hKt3swrQ2EauQsPFI6a5ydxT8275vs=
=sYUq
-----END PGP SIGNATURE-----

Attachment: pgpZectB8oVjL.pgp
Description: PGP signature

--- End Message ---

Reply to:

References:
- Bug#1117529: openssh: CVE-2025-61984
  - From: Salvatore Bonaccorso <carnil@debian.org>

Prev by Date: Bug#1111446: marked as done (openssh: IPQoS changes upstream and debian revert-ipqos-defaults.patch since 2019 (#923879 and 923880))
Next by Date: Bug#1117530: marked as done (openssh: CVE-2025-61985)
Previous by thread: Processed: Bug#1117529 marked as pending in openssh
Next by thread: Bug#1117530: openssh: CVE-2025-61985
Index(es):
- Date
- Thread