Fri, 17 Jul 2026 17:33:54 UTC | login

Information for build openssh-9.8p1-1.2.5.xcpng8.3

ID5911
Package Nameopenssh
Version9.8p1
Release1.2.5.xcpng8.3
Epoch
DraftFalse
Sourcegit+https://github.com/xcp-ng-rpms/openssh.git#0fbcbf1d246468f80d1080796388406bcd6f7c0a
SummaryAn open source implementation of SSH protocol version 2
DescriptionSSH (Secure SHell) is a program for logging into and executing commands on a remote machine. SSH is intended to replace rlogin and rsh, and to provide secure encrypted communications between two untrusted hosts over an insecure network. X11 connections and arbitrary TCP/IP ports can also be forwarded over the secure channel. OpenSSH is OpenBSD's version of the last free version of SSH, bringing it up to date in terms of security and features. This package includes the core files necessary for both the OpenSSH client and server. To make this package useful, you should also install openssh-clients, openssh-server, or both.
Built bylucas.ravagnier
State complete
Volume DEFAULT
StartedFri, 17 Jul 2026 12:11:49 UTC
CompletedFri, 17 Jul 2026 12:37:44 UTC
Taskbuild (v8.3-incoming, /xcp-ng-rpms/openssh.git:0fbcbf1d246468f80d1080796388406bcd6f7c0a)
Extra{'source': {'original_url': 'git+https://github.com/xcp-ng-rpms/openssh.git?#0fbcbf1d246468f80d1080796388406bcd6f7c0a'}}
Tags
v8.3-incoming
RPMs
src
openssh-9.8p1-1.2.5.xcpng8.3.src.rpm (info) (download)
x86_64
openssh-9.8p1-1.2.5.xcpng8.3.x86_64.rpm (info) (download)
openssh-clients-9.8p1-1.2.5.xcpng8.3.x86_64.rpm (info) (download)
openssh-keycat-9.8p1-1.2.5.xcpng8.3.x86_64.rpm (info) (download)
openssh-server-9.8p1-1.2.5.xcpng8.3.x86_64.rpm (info) (download)
openssh-sk-dummy-9.8p1-1.2.5.xcpng8.3.x86_64.rpm (info) (download)
openssh-debuginfo-9.8p1-1.2.5.xcpng8.3.x86_64.rpm (info) (download)
Logs
x86_64
build.log
installed_pkgs.log
hw_info.log
state.log
mock_output.log
root.log
mock_config.log
Changelog * Wed Jul 15 2026 Lucas Ravagnier <lucas.ravagnier@vates.tech> - 9.8p1-1.2.5 - Fix CVE-2025-32728 (X11 and agent forwarding were not disabled by the DisableForwarding option due to a logic error) - Fix CVE-2025-61984 (ssh(1) did not reject control characters in remote usernames supplied on the commandline, which could be abused to inject data into a ProxyCommand relying on %r expansion) - Fix CVE-2025-61985 ('\0' characters were not rejected in url-encoded strings such as ssh:// URIs, which could allow NUL-byte smuggling into values used by ProxyCommand, potentially leading to code execution) - Fix CVE-2026-35385 (files downloaded as root with scp's legacy -O mode but without -p did not have their setuid/setgid bits cleared, allowing privilege escalation) - Fix CVE-2026-35388 (missing askpass confirmation when using ControlMaster=ask/autoask with "ssh -O proxy ...") * Wed Apr 29 2026 Vincent Michel <vincent.michel@vates.tech> - 9.8p1-1.2.4 - Disable the use of ssh-rsa with SHA-1 (temporarily enabled in 9.8p1-1.2.2) * Fri Apr 17 2026 Lucas Ravagnier <lucas.ravagnier@vates.tech> - 9.8p1-1.2.3 - Add patch upstream log when refusing a certificate as dependency for CVE-2026-35414 patch - Fix CVE-2026-35414 (Bypass of authorized_keys) - Test for CVE-2026-35414 (with a fix for this test) - Fix ECDSA Bypass * Thu Mar 12 2026 Lucas Ravagnier <lucas.ravagnier@vates.tech> - 9.8p1-1.2.2 - Temporally enabled ssh-rsa with warning. Docs: https://datatracker.ietf.org/doc/html/rfc8332 * Tue Feb 03 2026 Philippe Coval <philippe.coval@vates.tech> - 9.8p1-1.2.1 - Refresh XCP-ng patches: - Drop unnecessary hardening and gssapi patches - Replace CVE-2025-26465 backport with upstream patch from 9.9p1 - Sync with 9.8p1-1.2 - *** Upstream changelog *** - * Fri Nov 07 2025 Alex Brett <alex.brett@citrix.com> - 9.8p1-1.2 - - CA-420416: Remove diffie-hellman-group14-sha1 KexAlgorithm - * Thu Jan 02 2025 Deli Zhang <deli.zhang@cloud.com> - 9.8p1-1.1 - - CA-400917: Disable PerSourcePenalties - - CA-401322: Revert sshd.pam to xs8 default - - CA-401322: Ensure new config files applied - * Fri Sep 13 2024 Deli Zhang <deli.zhang@citrix.com> - 9.8p1-1 - - CP-50298: Upgrade to version 9.8p1 - * Wed Jul 31 2024 Lin Liu <lin.liu@citrix.com> - 8.8p1-3 - - CP-50477: Customize ssh configurations - * Mon Sep 25 2023 Lin Liu <lin.liu@citrix.com> - 8.8p1-2 - - CP-45435: Permit root ssh login - * Thu Jul 20 2023 Lin Liu <lin.liu@citrix.com> - 8.8p1-1 - - First imported release * Mon Apr 28 2025 Yann Dirson <yann.dirson@vates.tech> - 7.4p1-23.3.3 + 0.10.3-2.23.3.3 - Rebuild against ncurses 6.4-6.20240309 to pull abi5 (compat) libs * Mon Mar 17 2025 Lucas Ravagnier <lucas.ravagnier@vates.tech> - 7.4p1-23.3.2 + 0.10.3-2.23.3.2 - Fix CVE-2025-26465 - Fix cases where error codes were not correctly set * Mon Aug 12 2024 Samuel Verschelde <stormi-xcp@ylix.fr> - 7.4p1-23.3.1 + 0.10.3-2.23.3.1 - Sync with 7.4p1-23.3 + 0.10.3-2.23.3 - *** Upstream changelog *** - * Tue Jul 02 2024 Ross Lagerwall <ross.lagerwall@citrix.com> - 7.4p1-23.3 + 0.10.3-2 - - CP-50166: Remove libsystemd integration - - CA-395182: Fix CVE-2024-6387 - use of non-async-signal-safe fn in sighandler * Tue Apr 30 2024 Thierry Escande <thierry.escande@vates.tech> - 7.4p1-23.2.1 + 0.10.3-2.23.2.1 - Harden default ciphers and algorithms - Disable GSSAPIAuthentication in sshd_config - Remove build dependency on xauth (used for X11 forwarding not supported on XCP-ng hosts) - Make use of xcpng_subrel macro for versioning - Disable gnome_askpass - Add BuildRequires for gcc * Wed Jan 24 2024 Alex Brett <alex.brett@cloud.com> - 7.4p1-23.2 + 0.10.3-2 - Fix for CVE-2023-48795: Add strict key exchange extension * Thu Dec 14 2023 Alex Brett <alex.brett@cloud.com> - 7.4p1-23.1 + 0.10.3-2 - Imported openssh-7.4p1-23.el7_9 from CentOS, including: - Fix for CVE-2023-38408 - Fix for CVE-2021-41617 - Fix for CVE-2018-15473 - Fix for CVE-2017-15906