mirror of
https://git.savannah.gnu.org/git/guix.git
synced 2026-04-08 14:10:38 +02:00
b2e9f464bb
Release notes since 10.2p1 (2025-10-10): - 10.3p1 (2026-04-02) <https://www.openssh.org/txt/release-10.3>. Contains fixes for: CVE-2026-35385: A file downloaded by scp may be installed setuid or setgid, an outcome contrary to some users' expectations, if the download is performed as root with -O (legacy scp protocol) and without -p (preserve mode). CVE-2026-35386: Command execution can occur via shell metacharacters in a username within a command line. This requires a scenario where the username on the command line is untrusted, and also requires a non-default configurations of % in ssh_config. CVE-2026-35387: OpenSSH can use unintended ECDSA algorithms. Listing of any ECDSA algorithm in PubkeyAcceptedAlgorithms or HostbasedAcceptedAlgorithms is misinterpreted to mean all ECDSA algorithms. CVE-2026-35388: OpenSSH before omits connection multiplexing confirmation for proxy-mode multiplexing sessions. CVE-2026-35414: OpenSSH mishandles the authorized_keys principals option in uncommon scenarios involving a principals list in conjunction with a Certificate Authority that makes certain use of comma characters. * gnu/packages/ssh.scm (openssh): Update to 10.3p1. Merges: https://codeberg.org/guix/guix/pulls/7695 Change-Id: I9e90c3ef02f567d0f5b2485c4e0bcfaa1a1f31c8 Reviewed-by: Nguyễn Gia Phong <cnx@loang.net> Reviewed-by: Jonas Meeuws <jonas.meeuws@gmail.com> Reviewed-by: Cayetano Santos <csantosb@inventati.org> Signed-off-by: Sharlatan Hellseher <sharlatanus@gmail.com>