Debian dla-4584 : openssh-client - security update

high Nessus Plugin ID 314975

Synopsis

The remote Debian host is missing one or more security-related updates.

Description

The remote Debian 11 host has packages installed that are affected by multiple vulnerabilities as referenced in the dla-4584 advisory.

------------------------------------------------------------------------- Debian LTS Advisory DLA-4584-1 [email protected] https://www.debian.org/lts/security/ Santiago Ruano Rincn May 15, 2026 https://wiki.debian.org/LTS
-------------------------------------------------------------------------

Package : openssh Version : 1:8.4p1-5+deb11u7 CVE ID : CVE-2025-61984 CVE-2025-61985 CVE-2026-35385 CVE-2026-35386 CVE-2026-35387 CVE-2026-35388 CVE-2026-35414 Debian Bug : 1117529 1117530 1132572 1132573 1132574 1132575 1132576

Several vulnerabilities have been discovered in OpenSSH, an implementation of the SSH protocol suite.

CVE-2025-61984

ssh allows control characters in usernames that originate from certain possibly untrusted sources, potentially leading to code execution when a ProxyCommand is used.

CVE-2025-61985

ssh allows the '\0' character in an ssh:// URI, potentially leading to code execution when a ProxyCommand is used.

CVE-2026-35385

When downloading files as root in legacy (-O) mode and without the -p (preserve modes) flag set, scp did not clear setuid/setgid bits from downloaded files as one might typically expect. This bug dates back to the original Berkeley rcp program. Reported by Christos Papakonstantinou of Cantina and Spearbit.

CVE-2026-35386

Validation of shell metacharacters in user names supplied on the command-line was performed too late to prevent some situations where they could be expanded from %-tokens in ssh_config. For certain configurations, such as those that use a %u token in a Match exec block, an attacker who can control the user name passed to ssh(1) could potentially execute arbitrary shell commands. Reported by Florian Kohnhuser.

OpenSSH developers continue to recommend against directly exposing ssh(1) and other tools' command-lines to untrusted input. Mitigations as the one addressing this issue can not be absolute given the variety of shells and user configurations in use.

CVE-2026-35387

ssh can use unintended ECDSA algorithms. Listing of any ECDSA algorithm in PubkeyAcceptedAlgorithms or HostbasedAcceptedAlgorithms is misinterpreted to mean all ECDSA algorithms. Reported by Christos Papakonstantinou of Cantina and Spearbit.

CVE-2026-35388

Connection multiplexing confirmation (requested using ControlMaster ask/autoask) was not being tested for proxy mode multiplexing sessions (i.e.
ssh -O proxy ...). Reported by Michalis Vasileiadis.

CVE-2026-35414

When matching an authorized_keys principals= option against a list of principals in a certificate, an incorrect algorithm was used that could allow inappropriate matching in cases where a principal name in the certificate contains a comma character. Exploitation of the condition requires an authorized_keys principals= option that lists more than one principal
*and* a CA that will issue a certificate that encodes more than one of these principal names separated by a comma (typical CAs strongly constrain which principal names they will place in a certificate). This condition only applies to user- trusted CA keys in authorized_keys, the main certificate authentication path (TrustedUserCAKeys/AuthorizedPrincipalsFile) is not affected. Reported by Vladimir Tokarev.

For Debian 11 bullseye, these problems have been fixed in version 1:8.4p1-5+deb11u7.

We recommend that you upgrade your openssh packages.

For the detailed security status of openssh please refer to its security tracker page at:
https://security-tracker.debian.org/tracker/openssh

Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS Attachment:
signature.asc Description: PGP signature

Tenable has extracted the preceding description block directly from the Debian security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Upgrade the openssh-client packages.

Plugin Details

Severity: High

ID: 314975

File Name: debian_DLA-4584.nasl

Version: 1.1

Type: Local

Agent: unix

Family: Debian Local Security Checks

Published: 5/15/2026

Updated: 5/15/2026

Supported Sensors: Continuous Assessment, Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 6.7

CVSS v2

Risk Factor: High

Base Score: 7.6

Temporal Score: 6

Vector: CVSS2#AV:N/AC:H/Au:N/C:C/I:C/A:C

CVSS Score Source: CVE-2026-35414

CVSS v3

Risk Factor: High

Base Score: 8.1

Temporal Score: 7.3

Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

CPE: p-cpe:/a:debian:debian_linux:ssh-askpass-gnome, cpe:/o:debian:debian_linux:11.0, p-cpe:/a:debian:debian_linux:openssh-server-udeb, p-cpe:/a:debian:debian_linux:ssh, p-cpe:/a:debian:debian_linux:openssh-sftp-server, p-cpe:/a:debian:debian_linux:openssh-server, p-cpe:/a:debian:debian_linux:openssh-tests, p-cpe:/a:debian:debian_linux:openssh-client, p-cpe:/a:debian:debian_linux:openssh-client-udeb

Required KB Items: Host/local_checks_enabled, Host/Debian/release, Host/Debian/dpkg-l

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 5/15/2026

Vulnerability Publication Date: 10/6/2025

Reference Information

CVE: CVE-2025-61984, CVE-2025-61985, CVE-2026-35385, CVE-2026-35386, CVE-2026-35387, CVE-2026-35388, CVE-2026-35414

IAVA: 2025-A-0729-S, 2025-A-0806-S, 2026-A-0296

Detections

Analytics