Staging Environment: Content and features may be unstable or change without notice.
Search for packages
Package details: pkg:deb/debian/openssh@1:10.3p1-1
purl pkg:deb/debian/openssh@1:10.3p1-1
Vulnerabilities affecting this package (0)
Vulnerability Summary Fixed by
This package is not known to be affected by vulnerabilities.
Vulnerabilities fixed by this package (5)
Vulnerability Summary Aliases
VCID-792n-jkzj-qqhd In OpenSSH before 10.3, a file downloaded by scp may be installed setuid or setgid, an outcome contrary to some users' expectations, if the download is performed as root with -O (legacy scp protocol) and without -p (preserve mode). CVE-2026-35385
VCID-8efr-budq-6bb6 OpenSSH before 10.3 mishandles the authorized_keys principals option in uncommon scenarios involving a principals list in conjunction with a Certificate Authority that makes certain use of comma characters. CVE-2026-35414
VCID-a4eq-r71a-buhm In OpenSSH before 10.3, command execution can occur via shell metacharacters in a username within a command line. This requires a scenario where the username on the command line is untrusted, and also requires a non-default configurations of % in ssh_config. CVE-2026-35386
VCID-bnrq-2fsr-mfgd OpenSSH before 10.3 omits connection multiplexing confirmation for proxy-mode multiplexing sessions. CVE-2026-35388
VCID-kgn5-p8kx-qucj OpenSSH before 10.3 can use unintended ECDSA algorithms. Listing of any ECDSA algorithm in PubkeyAcceptedAlgorithms or HostbasedAcceptedAlgorithms is misinterpreted to mean all ECDSA algorithms. CVE-2026-35387

Date Actor Action Vulnerability Source VulnerableCode Version
2026-04-16T13:07:42.179716+00:00 Debian Importer Fixing VCID-792n-jkzj-qqhd https://security-tracker.debian.org/tracker/data/json 38.4.0
2026-04-16T12:05:40.521197+00:00 Debian Importer Fixing VCID-8efr-budq-6bb6 https://security-tracker.debian.org/tracker/data/json 38.4.0
2026-04-16T11:51:17.478126+00:00 Debian Importer Fixing VCID-kgn5-p8kx-qucj https://security-tracker.debian.org/tracker/data/json 38.4.0
2026-04-16T10:27:50.416789+00:00 Debian Importer Fixing VCID-a4eq-r71a-buhm https://security-tracker.debian.org/tracker/data/json 38.4.0
2026-04-16T08:46:37.164015+00:00 Debian Importer Fixing VCID-bnrq-2fsr-mfgd https://security-tracker.debian.org/tracker/data/json 38.4.0
2026-04-13T09:01:44.694478+00:00 Debian Importer Fixing VCID-792n-jkzj-qqhd https://security-tracker.debian.org/tracker/data/json 38.3.0
2026-04-13T08:16:01.284506+00:00 Debian Importer Fixing VCID-8efr-budq-6bb6 https://security-tracker.debian.org/tracker/data/json 38.3.0
2026-04-13T08:05:31.931029+00:00 Debian Importer Fixing VCID-kgn5-p8kx-qucj https://security-tracker.debian.org/tracker/data/json 38.3.0
2026-04-13T07:03:37.534436+00:00 Debian Importer Fixing VCID-a4eq-r71a-buhm https://security-tracker.debian.org/tracker/data/json 38.3.0
2026-04-13T05:45:21.241435+00:00 Debian Importer Fixing VCID-bnrq-2fsr-mfgd https://security-tracker.debian.org/tracker/data/json 38.3.0