11 changed files with 811 additions and 31 deletions
--- a/SOURCES/openssh-8.0p1-CVE-2025-26465.patch
+++ b/SOURCES/openssh-8.0p1-CVE-2025-26465.patch
@ -0,0 +1,57 @@
+diff --git a/openssh-8.0p1/krl.c b/openssh-8.0p1/krl.c
+index 8e2d5d5..e5b046d 100644
+--- a/openssh-8.0p1/krl.c
+++ b/openssh-8.0p1/krl.c
+@@ -676,6 +676,7 @@ revoked_certs_generate(struct revoked_certs *rc, struct sshbuf *buf)
+ 			break;
+ 		case KRL_SECTION_CERT_SERIAL_BITMAP:
+ 			if (rs->lo - bitmap_start > INT_MAX) {
+				r = SSH_ERR_INVALID_FORMAT;
+ 				error("%s: insane bitmap gap", __func__);
+ 				goto out;
+ 			}
+@@ -1011,6 +1012,7 @@ ssh_krl_from_blob(struct sshbuf *buf, struct ssh_krl **krlp,
+ 		goto out;
+ 
+ 	if ((krl = ssh_krl_init()) == NULL) {
+		r = SSH_ERR_ALLOC_FAIL;
+ 		error("%s: alloc failed", __func__);
+ 		goto out;
+ 	}
+diff --git a/openssh-8.0p1/sshconnect2.c b/openssh-8.0p1/sshconnect2.c
+index ce855eb..9650b24 100644
+--- a/openssh-8.0p1/sshconnect2.c
+++ b/openssh-8.0p1/sshconnect2.c
+@@ -95,7 +95,7 @@ struct sockaddr *xxx_hostaddr;
+ static int
+ verify_host_key_callback(struct sshkey *hostkey, struct ssh *ssh)
+ {
+-	if (verify_host_key(xxx_host, xxx_hostaddr, hostkey) == -1)
+	if (verify_host_key(xxx_host, xxx_hostaddr, hostkey) != 0)
+ 		fatal("Host key verification failed.");
+ 	return 0;
+ }
+@@ -767,6 +767,7 @@ input_userauth_pk_ok(int type, u_int32_t seq, struct ssh *ssh)
+ 
+ 	if ((pktype = sshkey_type_from_name(pkalg)) == KEY_UNSPEC) {
+ 		debug("%s: server sent unknown pkalg %s", __func__, pkalg);
+		r = SSH_ERR_INVALID_FORMAT;
+ 		goto done;
+ 	}
+ 	if ((r = sshkey_from_blob(pkblob, blen, &key)) != 0) {
+@@ -777,6 +778,7 @@ input_userauth_pk_ok(int type, u_int32_t seq, struct ssh *ssh)
+ 		error("input_userauth_pk_ok: type mismatch "
+ 		    "for decoded key (received %d, expected %d)",
+ 		    key->type, pktype);
+		r = SSH_ERR_INVALID_FORMAT;
+ 		goto done;
+ 	}
+ 
+@@ -796,6 +798,7 @@ input_userauth_pk_ok(int type, u_int32_t seq, struct ssh *ssh)
+ 		    SSH_FP_DEFAULT);
+ 		error("%s: server replied with unknown key: %s %s", __func__,
+ 		    sshkey_type(key), fp == NULL ? "<ERROR>" : fp);
+		r = SSH_ERR_INVALID_FORMAT;
+ 		goto done;
+ 	}
+ 	ident = format_identity(id);
--- a/SOURCES/openssh-8.0p1-ecdsa-incomplete-application.patch
+++ b/SOURCES/openssh-8.0p1-ecdsa-incomplete-application.patch
@ -0,0 +1,99 @@
+diff --color -ruNp a/auth2-hostbased.c b/auth2-hostbased.c
+--- a/auth2-hostbased.c	2026-04-15 12:41:41.506985043 +0200
+++ b/auth2-hostbased.c	2026-04-15 12:55:55.039916421 +0200
+@@ -96,9 +96,10 @@ userauth_hostbased(struct ssh *ssh)
+ 		error("%s: cannot decode key: %s", __func__, pkalg);
+ 		goto done;
+ 	}
+-	if (key->type != pktype) {
+-		error("%s: type mismatch for decoded key "
+-		    "(received %d, expected %d)", __func__, key->type, pktype);
+	if (key->type != pktype || (sshkey_type_plain(pktype) == KEY_ECDSA &&
+	    sshkey_ecdsa_nid_from_name(pkalg) != key->ecdsa_nid)) {
+		error("%s: key type mismatch for decoded key "
+		    "(received %s, expected %s)", __func__, sshkey_ssh_name(key), pkalg);
+ 		goto done;
+ 	}
+ 	if (sshkey_type_plain(key->type) == KEY_RSA &&
+diff --color -ruNp a/auth2-pubkey.c b/auth2-pubkey.c
+--- a/auth2-pubkey.c	2026-04-15 12:41:41.507225986 +0200
+++ b/auth2-pubkey.c	2026-04-15 12:55:06.559875789 +0200
+@@ -136,9 +136,10 @@ userauth_pubkey(struct ssh *ssh)
+ 		error("%s: cannot decode key: %s", __func__, pkalg);
+ 		goto done;
+ 	}
+-	if (key->type != pktype) {
+-		error("%s: type mismatch for decoded key "
+-		    "(received %d, expected %d)", __func__, key->type, pktype);
+	if (key->type != pktype || (sshkey_type_plain(pktype) == KEY_ECDSA &&
+	    sshkey_ecdsa_nid_from_name(pkalg) != key->ecdsa_nid)) {
+		error("%s: key type mismatch for decoded key "
+		    "(received %s, expected %s)", __func__, sshkey_ssh_name(key), pkalg);
+ 		goto done;
+ 	}
+ 	if (sshkey_type_plain(key->type) == KEY_RSA &&
+diff --color -ruNp a/sshconnect2.c b/sshconnect2.c
+--- a/sshconnect2.c	2026-04-15 12:41:41.546573648 +0200
+++ b/sshconnect2.c	2026-04-15 12:47:56.862867930 +0200
+@@ -91,10 +91,15 @@ u_int session_id2_len = 0;
+ 
+ char *xxx_host;
+ struct sockaddr *xxx_hostaddr;
+static int key_type_allowed(struct sshkey *, const char *);
+ 
+ static int
+ verify_host_key_callback(struct sshkey *hostkey, struct ssh *ssh)
+ {
+	if (!key_type_allowed(hostkey, options.hostkeyalgorithms)) {
+		fatal("Server host key %s not in HostKeyAlgorithms",
+		    sshkey_ssh_name(hostkey));
+	}
+ 	if (verify_host_key(xxx_host, xxx_hostaddr, hostkey) != 0)
+ 		fatal("Host key verification failed.");
+ 	return 0;
+@@ -1662,34 +1667,36 @@ load_identity_file(Identity *id)
+ }
+ 
+ static int
+-key_type_allowed_by_config(struct sshkey *key)
+key_type_allowed(struct sshkey *key, const char *allowlist)
+ {
+-	if (match_pattern_list(sshkey_ssh_name(key),
+-	    options.pubkey_key_types, 0) == 1)
+	if (match_pattern_list(sshkey_ssh_name(key), allowlist, 0) == 1)
+ 		return 1;
+ 
+ 	/* RSA keys/certs might be allowed by alternate signature types */
+ 	switch (key->type) {
+ 	case KEY_RSA:
+-		if (match_pattern_list("rsa-sha2-512",
+-		    options.pubkey_key_types, 0) == 1)
+		if (match_pattern_list("rsa-sha2-512", allowlist, 0) == 1)
+ 			return 1;
+-		if (match_pattern_list("rsa-sha2-256",
+-		    options.pubkey_key_types, 0) == 1)
+		if (match_pattern_list("rsa-sha2-256", allowlist, 0) == 1)
+ 			return 1;
+ 		break;
+ 	case KEY_RSA_CERT:
+ 		if (match_pattern_list("rsa-sha2-512-cert-v01@openssh.com",
+-		    options.pubkey_key_types, 0) == 1)
+		    allowlist, 0) == 1)
+ 			return 1;
+ 		if (match_pattern_list("rsa-sha2-256-cert-v01@openssh.com",
+-		    options.pubkey_key_types, 0) == 1)
+		    allowlist, 0) == 1)
+ 			return 1;
+ 		break;
+ 	}
+ 	return 0;
+ }
+ 
+static int
+key_type_allowed_by_config(struct sshkey *key)
+{
+	return key_type_allowed(key, options.pubkey_key_types);
+}
+ 
+ /*
+  * try keys in the following order:
--- a/SOURCES/openssh-8.0p1-gssapi-keyex.patch
+++ b/SOURCES/openssh-8.0p1-gssapi-keyex.patch
@ -1504,11 +1504,9 @@ index 2abbb9ef..569dc83f 100644
 kex_gen_hash(
     int hash_alg,
     const struct sshbuf *client_version,
-diff --git a/kexgssc.c b/kexgssc.c
-new file mode 100644
-index 00000000..0b2f6a56
--- /dev/null
-+++ b/kexgssc.c
+diff --color -ruNp a/kexgssc.c b/kexgssc.c
+--- a/kexgssc.c	1970-01-01 01:00:00.000000000 +0100
+++ b/kexgssc.c	2026-03-16 15:43:01.131354176 +0100
@@ -0,0 +1,618 @@
 +/*
 + * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved.
@ -1564,8 +1562,8 @@ index 00000000..0b2f6a56
 +{
 +	struct kex *kex = ssh->kex;
 +	gss_buffer_desc send_tok = GSS_C_EMPTY_BUFFER,
-+	    recv_tok = GSS_C_EMPTY_BUFFER,
-+	    gssbuf, msg_tok = GSS_C_EMPTY_BUFFER, *token_ptr;
+	    recv_tok = GSS_C_EMPTY_BUFFER, gssbuf = GSS_C_EMPTY_BUFFER,
+	    msg_tok = GSS_C_EMPTY_BUFFER, *token_ptr;
 +	Gssctxt *ctxt;
 +	OM_uint32 maj_status, min_status, ret_flags;
 +	struct sshbuf *server_blob = NULL;
@ -1717,11 +1715,11 @@ index 00000000..0b2f6a56
 +						fatal("Failed to read token: %s", ssh_err(r));
 +					/* If we're already complete - protocol error */
 +					if (maj_status == GSS_S_COMPLETE)
-+						sshpkt_disconnect(ssh, "Protocol error: received token when complete");
+						ssh_packet_disconnect(ssh, "Protocol error: received token when complete");
 +				} else {
 +					/* No token included */
 +					if (maj_status != GSS_S_COMPLETE)
-+						sshpkt_disconnect(ssh, "Protocol error: did not receive final token");
+						ssh_packet_disconnect(ssh, "Protocol error: did not receive final token");
 +				}
 +				if ((r = sshpkt_get_end(ssh)) != 0) {
 +					fatal("Expecting end of packet.");
@ -1737,7 +1735,7 @@ index 00000000..0b2f6a56
 +					fatal("sshpkt_get failed: %s", ssh_err(r));
 +				fatal("GSSAPI Error: \n%.400s", msg);
 +			default:
-+				sshpkt_disconnect(ssh, "Protocol error: didn't expect packet type %d",
+				ssh_packet_disconnect(ssh, "Protocol error: didn't expect packet type %d",
 +				    type);
 +			}
 +			token_ptr = &recv_tok;
@ -1810,7 +1808,7 @@ index 00000000..0b2f6a56
 +
 +	/* Verify that the hash matches the MIC we just got. */
 +	if (GSS_ERROR(ssh_gssapi_checkmic(ctxt, &gssbuf, &msg_tok)))
-+		sshpkt_disconnect(ssh, "Hash's MIC didn't verify");
+		ssh_packet_disconnect(ssh, "Hash's MIC didn't verify");
 +
 +	gss_release_buffer(&min_status, &msg_tok);
 +
@ -1842,8 +1840,8 @@ index 00000000..0b2f6a56
 +{
 +	struct kex *kex = ssh->kex;
 +	gss_buffer_desc send_tok = GSS_C_EMPTY_BUFFER,
-+	    recv_tok = GSS_C_EMPTY_BUFFER, gssbuf,
-+            msg_tok = GSS_C_EMPTY_BUFFER, *token_ptr;
+	    recv_tok = GSS_C_EMPTY_BUFFER, gssbuf = GSS_C_EMPTY_BUFFER,
+	    msg_tok = GSS_C_EMPTY_BUFFER, *token_ptr;
 +	Gssctxt *ctxt;
 +	OM_uint32 maj_status, min_status, ret_flags;
 +	struct sshbuf *shared_secret = NULL;
@ -2014,11 +2012,11 @@ index 00000000..0b2f6a56
 +						fatal("sshpkt failed: %s", ssh_err(r));
 +					/* If we're already complete - protocol error */
 +					if (maj_status == GSS_S_COMPLETE)
-+						sshpkt_disconnect(ssh, "Protocol error: received token when complete");
+						ssh_packet_disconnect(ssh, "Protocol error: received token when complete");
 +				} else {
 +					/* No token included */
 +					if (maj_status != GSS_S_COMPLETE)
-+						sshpkt_disconnect(ssh, "Protocol error: did not receive final token");
+						ssh_packet_disconnect(ssh, "Protocol error: did not receive final token");
 +				}
 +				break;
 +			case SSH2_MSG_KEXGSS_ERROR:
@ -2031,7 +2029,7 @@ index 00000000..0b2f6a56
 +					fatal("sshpkt failed: %s", ssh_err(r));
 +				fatal("GSSAPI Error: \n%.400s", msg);
 +			default:
-+				sshpkt_disconnect(ssh, "Protocol error: didn't expect packet type %d",
+				ssh_packet_disconnect(ssh, "Protocol error: didn't expect packet type %d",
 +				    type);
 +			}
 +			token_ptr = &recv_tok;
@ -2093,7 +2091,7 @@ index 00000000..0b2f6a56
 +
 +	/* Verify that the hash matches the MIC we just got. */
 +	if (GSS_ERROR(ssh_gssapi_checkmic(ctxt, &gssbuf, &msg_tok)))
-+		sshpkt_disconnect(ssh, "Hash's MIC didn't verify");
+		ssh_packet_disconnect(ssh, "Hash's MIC didn't verify");
 +
 +	gss_release_buffer(&min_status, &msg_tok);
 +
@ -2128,11 +2126,9 @@ index 00000000..0b2f6a56
 +	return r;
 +}
 +#endif /* defined(GSSAPI) && defined(WITH_OPENSSL) */
-diff --git a/kexgsss.c b/kexgsss.c
-new file mode 100644
-index 00000000..60bc02de
--- /dev/null
-+++ b/kexgsss.c
+diff --color -ruNp a/kexgsss.c b/kexgsss.c
+--- a/kexgsss.c	1970-01-01 01:00:00.000000000 +0100
+++ b/kexgsss.c	2026-03-16 15:45:31.256395698 +0100
@@ -0,0 +1,482 @@
 +/*
 + * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved.
@ -2200,7 +2196,8 @@ index 00000000..60bc02de
 +	 */
 +
 +	OM_uint32 ret_flags = 0;
-+	gss_buffer_desc gssbuf = {0, NULL}, recv_tok, msg_tok;
+	gss_buffer_desc gssbuf = GSS_C_EMPTY_BUFFER,
+	    recv_tok = GSS_C_EMPTY_BUFFER, msg_tok = GSS_C_EMPTY_BUFFER;
 +	gss_buffer_desc send_tok = GSS_C_EMPTY_BUFFER;
 +	Gssctxt *ctxt = NULL;
 +	struct sshbuf *shared_secret = NULL;
@ -2304,7 +2301,7 @@ index 00000000..60bc02de
 +				fatal("sshpkt failed: %s", ssh_err(r));
 +			break;
 +		default:
-+			sshpkt_disconnect(ssh,
+			ssh_packet_disconnect(ssh,
 +			    "Protocol error: didn't expect packet type %d",
 +			    type);
 +		}
@ -2403,7 +2400,8 @@ index 00000000..60bc02de
 +	 */
 +
 +	OM_uint32 ret_flags = 0;
-+	gss_buffer_desc gssbuf, recv_tok, msg_tok;
+	gss_buffer_desc gssbuf = GSS_C_EMPTY_BUFFER,
+	    recv_tok = GSS_C_EMPTY_BUFFER, msg_tok = GSS_C_EMPTY_BUFFER;
 +	gss_buffer_desc send_tok = GSS_C_EMPTY_BUFFER;
 +	Gssctxt *ctxt = NULL;
 +	struct sshbuf *shared_secret = NULL;
@ -2459,10 +2457,8 @@ index 00000000..60bc02de
 +		fatal("GSS_GEX, bad parameters: %d !< %d !< %d",
 +		    min, nbits, max);
 +	kex->dh = PRIVSEP(choose_dh(min, nbits, max));
-+	if (kex->dh == NULL) {
-+		sshpkt_disconnect(ssh, "Protocol error: no matching group found");
-+		fatal("Protocol error: no matching group found");
-+	}
+	if (kex->dh == NULL)
+		ssh_packet_disconnect(ssh, "Protocol error: no matching group found");
 +
 +	DH_get0_pqg(kex->dh, &dh_p, NULL, &dh_g);
 +	if ((r = sshpkt_start(ssh, SSH2_MSG_KEXGSS_GROUP)) != 0 ||
@ -2500,7 +2496,7 @@ index 00000000..60bc02de
 +				fatal("sshpkt failed: %s", ssh_err(r));
 +			break;
 +		default:
-+			sshpkt_disconnect(ssh,
+			ssh_packet_disconnect(ssh,
 +			    "Protocol error: didn't expect packet type %d",
 +			    type);
 +		}
--- a/SOURCES/openssh-8.0p1-mux-askpass-check.patch
+++ b/SOURCES/openssh-8.0p1-mux-askpass-check.patch
@ -0,0 +1,20 @@
+diff --color -ruNp a/mux.c b/mux.c
+--- a/mux.c	2026-04-15 12:22:36.533931440 +0200
+++ b/mux.c	2026-04-15 12:24:40.020578991 +0200
+@@ -1133,6 +1133,16 @@ mux_master_process_proxy(struct ssh *ssh
+ 
+ 	debug("%s: channel %d: proxy request", __func__, c->self);
+ 
+	if (options.control_master == SSHCTL_MASTER_ASK ||
+	    options.control_master == SSHCTL_MASTER_AUTO_ASK) {
+		if (!ask_permission("Allow multiplex proxy connection?")) {
+			debug2("%s: proxy refused by user", __func__);
+			reply_error(reply, MUX_S_PERMISSION_DENIED, rid,
+			    "Permission denied");
+			return 0;
+		}
+	}
+
+ 	c->mux_rcb = channel_proxy_downstream;
+ 	if ((r = sshbuf_put_u32(reply, MUX_S_PROXY)) != 0 ||
+ 	    (r = sshbuf_put_u32(reply, rid)) != 0)
--- a/SOURCES/openssh-8.0p1-proxyjump-username-validity-checks.patch
+++ b/SOURCES/openssh-8.0p1-proxyjump-username-validity-checks.patch
@ -0,0 +1,425 @@
+diff --color -ruNp a/misc.c b/misc.c
+--- a/misc.c	2026-04-15 13:31:07.822096096 +0200
+++ b/misc.c	2026-04-15 13:33:04.228235182 +0200
+@@ -89,6 +89,20 @@ chop(char *s)
+ 
+ }
+ 
+/* remove whitespace from end of string */
+void
+rtrim(char *s)
+{
+	size_t i;
+
+	if ((i = strlen(s)) == 0)
+		return;
+	for (i--; i > 0; i--) {
+		if (isspace((int)s[i]))
+			s[i] = '\0';
+	}
+}
+
+ /* set/unset filedescriptor to non-blocking */
+ int
+ set_nonblock(int fd)
+diff --color -ruNp a/misc.h b/misc.h
+--- a/misc.h	2019-04-18 00:52:57.000000000 +0200
+++ b/misc.h	2026-04-15 13:33:13.656428006 +0200
+@@ -44,6 +44,7 @@ struct ForwardOptions {
+ /* misc.c */
+ 
+ char	*chop(char *);
+void	 rtrim(char *);
+ char	*strdelim(char **);
+ char	*strdelimw(char **);
+ int	 set_nonblock(int);
+diff --color -ruNp a/readconf.c b/readconf.c
+--- a/readconf.c	2026-04-15 13:31:07.787080808 +0200
+++ b/readconf.c	2026-04-15 13:31:40.930531592 +0200
+@@ -1195,9 +1195,6 @@ parse_char_array:
+ 
+ 	case oProxyCommand:
+ 		charptr = &options->proxy_command;
+-		/* Ignore ProxyCommand if ProxyJump already specified */
+-		if (options->jump_host != NULL)
+-			charptr = &options->jump_host; /* Skip below */
+ parse_command:
+ 		if (s == NULL)
+ 			fatal("%.200s line %d: Missing argument.", filename, linenum);
+@@ -1212,7 +1209,7 @@ parse_command:
+ 			    filename, linenum);
+ 		}
+ 		len = strspn(s, WHITESPACE "=");
+-		if (parse_jump(s + len, options, *activep) == -1) {
+		if (parse_jump(s + len, options, cmdline, *activep) == -1) {
+ 			fatal("%.200s line %d: Invalid ProxyJump \"%s\"",
+ 			    filename, linenum, s + len);
+ 		}
+@@ -2440,57 +2437,116 @@ parse_forward(struct Forward *fwd, const
+ }
+ 
+ int
+-parse_jump(const char *s, Options *o, int active)
+ssh_valid_hostname(const char *s)
+ {
+-	char *orig, *sdup, *cp;
+-	char *host = NULL, *user = NULL;
+-	int ret = -1, port = -1, first;
+	size_t i;
+ 
+-	active &= o->proxy_command == NULL && o->jump_host == NULL;
+	if (*s == '-')
+		return 0;
+	for (i = 0; s[i] != 0; i++) {
+		if (strchr("'`\"$\\;&<>|(){},", s[i]) != NULL ||
+		    isspace((u_char)s[i]) || iscntrl((u_char)s[i]))
+			return 0;
+	}
+	return 1;
+}
+
+int
+ssh_valid_ruser(const char *s)
+{
+	size_t i;
+
+	if (*s == '-')
+		return 0;
+	for (i = 0; s[i] != 0; i++) {
+		if (iscntrl((u_char)s[i]))
+			return 0;
+		if (strchr("'`\";&<>|(){}", s[i]) != NULL)
+			return 0;
+		/* Disallow '-' after whitespace */
+		if (isspace((u_char)s[i]) && s[i + 1] == '-')
+			return 0;
+		/* Disallow \ in last position */
+		if (s[i] == '\\' && s[i + 1] == '\0')
+			return 0;
+	}
+	return 1;
+}
+
+int
+parse_jump(const char *s, Options *o, int strict, int active)
+{
+	char *orig = NULL, *sdup = NULL, *cp;
+	char *tmp_user = NULL, *tmp_host = NULL, *host = NULL, *user = NULL;
+	int r, ret = -1, tmp_port = -1, port = -1, first = 1;
+
+	if (strcasecmp(s, "none") == 0) {
+		if (active && o->jump_host == NULL) {
+			o->jump_host = xstrdup("none");
+			o->jump_port = 0;
+		}
+		return 0;
+	}
+
+	orig = xstrdup(s);
+	if ((cp = strchr(orig, '#')) != NULL)
+		*cp = '\0';
+	rtrim(orig);
+ 
+-	orig = sdup = xstrdup(s);
+-	first = active;
+	active &= o->proxy_command == NULL && o->jump_host == NULL;
+	sdup = xstrdup(orig);
+ 	do {
+-		if (strcasecmp(s, "none") == 0)
+-			break;
+		/* Work backwards through string */
+ 		if ((cp = strrchr(sdup, ',')) == NULL)
+ 			cp = sdup; /* last */
+ 		else
+ 			*cp++ = '\0';
+ 
+-		if (first) {
+-			/* First argument and configuration is active */
+-			if (parse_ssh_uri(cp, &user, &host, &port) == -1 ||
+-			    parse_user_host_port(cp, &user, &host, &port) != 0)
+		r = parse_ssh_uri(cp, &tmp_user, &tmp_host, &tmp_port);
+		if (r == -1 || (r == 1 && parse_user_host_port(cp,
+		    &tmp_user, &tmp_host, &tmp_port) != 0))
+			goto out; /* error already logged */
+		if (strict) {
+			if (!ssh_valid_hostname(tmp_host)) {
+				error("%s: invalid hostname \"%s\"", __func__, tmp_host);
+ 				goto out;
+-		} else {
+-			/* Subsequent argument or inactive configuration */
+-			if (parse_ssh_uri(cp, NULL, NULL, NULL) == -1 ||
+-			    parse_user_host_port(cp, NULL, NULL, NULL) != 0)
+			}
+			if (tmp_user != NULL && !ssh_valid_ruser(tmp_user)) {
+				error("%s: invalid username \"%s\"", __func__, tmp_user);
+ 				goto out;
+			}
+		}
+		if (first) {
+			user = tmp_user;
+			host = tmp_host;
+			port = tmp_port;
+			tmp_user = tmp_host = NULL; /* transferred */
+ 		}
+ 		first = 0; /* only check syntax for subsequent hosts */
+		free(tmp_user);
+		free(tmp_host);
+		tmp_user = tmp_host = NULL;
+		tmp_port = -1;
+ 	} while (cp != sdup);
+
+ 	/* success */
+ 	if (active) {
+-		if (strcasecmp(s, "none") == 0) {
+-			o->jump_host = xstrdup("none");
+-			o->jump_port = 0;
+-		} else {
+-			o->jump_user = user;
+-			o->jump_host = host;
+-			o->jump_port = port;
+-			o->proxy_command = xstrdup("none");
+-			user = host = NULL;
+-			if ((cp = strrchr(s, ',')) != NULL && cp != s) {
+-				o->jump_extra = xstrdup(s);
+-				o->jump_extra[cp - s] = '\0';
+-			}
+		o->jump_user = user;
+		o->jump_host = host;
+		o->jump_port = port;
+		o->proxy_command = xstrdup("none");
+		user = host = NULL; /* transferred */
+		if (orig != NULL && (cp = strrchr(orig, ',')) != NULL) {
+			o->jump_extra = xstrdup(orig);
+			o->jump_extra[cp - orig] = '\0';
+ 		}
+ 	}
+ 	ret = 0;
+  out:
+ 	free(orig);
+	free(sdup);
+	free(tmp_user);
+	free(tmp_host);
+ 	free(user);
+ 	free(host);
+ 	return ret;
+diff --color -ruNp a/readconf.h b/readconf.h
+--- a/readconf.h	2026-04-15 13:31:07.615351090 +0200
+++ b/readconf.h	2026-04-15 13:31:40.931797538 +0200
+@@ -211,7 +211,9 @@ int	 process_config_line(Options *, stru
+ int	 read_config_file(const char *, struct passwd *, const char *,
+     const char *, Options *, int, int *);
+ int	 parse_forward(struct Forward *, const char *, int, int);
+-int	 parse_jump(const char *, Options *, int);
+int	 ssh_valid_hostname(const char *);
+int	 ssh_valid_ruser(const char *);
+int	 parse_jump(const char *, Options *, int, int);
+ int	 parse_ssh_uri(const char *, char **, char **, int *);
+ int	 default_ssh_port(void);
+ int	 option_clear_or_none(const char *);
+diff --color -ruNp a/regress/Makefile b/regress/Makefile
+--- a/regress/Makefile	2026-04-15 13:31:07.748508810 +0200
+++ b/regress/Makefile	2026-04-15 13:31:40.932487948 +0200
+@@ -84,7 +84,8 @@ LTESTS= 	connect \
+ 		cfginclude \
+ 		servcfginclude \
+ 		allow-deny-users \
+-		authinfo
+		authinfo \
+		proxyjump
+ 
+ 
+ #		dhgex \
+diff --color -ruNp a/regress/proxyjump.sh b/regress/proxyjump.sh
+--- a/regress/proxyjump.sh	1970-01-01 01:00:00.000000000 +0100
+++ b/regress/proxyjump.sh	2026-04-15 13:31:40.932813345 +0200
+@@ -0,0 +1,102 @@
+#	$OpenBSD: proxyjump.sh,v 1.1 2026/03/30 07:19:02 djm Exp $
+#	Placed in the Public Domain.
+
+tid="proxyjump"
+
+# Parsing tests
+verbose "basic parsing"
+for jspec in \
+	"jump1" \
+	"user@jump1" \
+	"jump1:2222" \
+	"user@jump1:2222" \
+	"jump1,jump2" \
+	"user1@jump1:2221,user2@jump2:2222" \
+	"ssh://user@host:2223" \
+	; do
+	case "$jspec" in
+	"jump1")		expected="jump1" ;;
+	"user@jump1")		expected="user@jump1" ;;
+	"jump1:2222")		expected="jump1:2222" ;;
+	"user@jump1:2222")	expected="user@jump1:2222" ;;
+	"jump1,jump2")		expected="jump1,jump2" ;;
+	"user1@jump1:2221,user2@jump2:2222")
+		expected="user1@jump1:2221,user2@jump2:2222" ;;
+	"ssh://user@host:2223")	expected="user@host:2223" ;;
+	esac
+	f=`${SSH} -GF /dev/null -oProxyJump="$jspec" somehost | \
+		awk '/^proxyjump /{print $2}'`
+	if [ "$f" != "$expected" ]; then
+		fail "ProxyJump $jspec: expected $expected, got $f"
+	fi
+	f=`${SSH} -GF /dev/null -J "$jspec" somehost | \
+		awk '/^proxyjump /{print $2}'`
+	if [ "$f" != "$expected" ]; then
+		fail "ssh -J $jspec: expected $expected, got $f"
+	fi
+done
+
+verbose "precedence"
+f=`${SSH} -GF /dev/null -oProxyJump=none -oProxyJump=jump1 somehost | \
+	grep "^proxyjump "`
+if [ -n "$f" ]; then
+	fail "ProxyJump=none first did not win"
+fi
+f=`${SSH} -GF /dev/null -oProxyJump=jump -oProxyCommand=foo somehost | \
+	grep "^proxyjump "`
+if [ "$f" != "proxyjump jump" ]; then
+	fail "ProxyJump first did not win over ProxyCommand"
+fi
+f=`${SSH} -GF /dev/null -oProxyCommand=foo -oProxyJump=jump somehost | \
+	grep "^proxycommand "`
+if [ "$f" != "proxycommand foo" ]; then
+	fail "ProxyCommand first did not win over ProxyJump"
+fi
+
+verbose "command-line -J invalid characters"
+cp $OBJ/ssh_config $OBJ/ssh_config.orig
+for jspec in \
+	"host;with;semicolon" \
+	"host'with'quote" \
+	"host\`with\`backtick" \
+	"host\$with\$dollar" \
+	"host(with)brace" \
+	"user;with;semicolon@host" \
+	"user'with'quote@host" \
+	"user\`with\`backtick@host" \
+	"user(with)brace@host" ; do
+	${SSH} -GF /dev/null -J "$jspec" somehost >/dev/null 2>&1
+	if [ $? -ne 255 ]; then
+		fail "ssh -J \"$jspec\" was not rejected"
+	fi
+	${SSH} -GF /dev/null -oProxyJump="$jspec" somehost >/dev/null 2>&1
+	if [ $? -ne 255 ]; then
+		fail "ssh -oProxyJump=\"$jspec\" was not rejected"
+	fi
+done
+# Special characters should be accepted in the config though.
+echo "ProxyJump user;with;semicolon@host;with;semicolon" >> $OBJ/ssh_config
+f=`${SSH} -GF $OBJ/ssh_config somehost | grep "^proxyjump "`
+if [ "$f" != "proxyjump user;with;semicolon@host;with;semicolon" ]; then
+	fail "ProxyJump did not allow special characters in config: $f"
+fi
+
+verbose "functional test"
+# Use different names to avoid the loop detection in ssh.c
+grep -iv HostKeyAlias $OBJ/ssh_config.orig > $OBJ/ssh_config
+cat << _EOF >> $OBJ/ssh_config
+Host jump-host
+	HostkeyAlias jump-host
+Host target-host
+	HostkeyAlias target-host
+_EOF
+cp $OBJ/known_hosts $OBJ/known_hosts.orig
+sed 's/^[^ ]* /jump-host /' < $OBJ/known_hosts.orig > $OBJ/known_hosts
+sed 's/^[^ ]* /target-host /' < $OBJ/known_hosts.orig >> $OBJ/known_hosts
+start_sshd
+
+verbose "functional ProxyJump"
+res=`${REAL_SSH} -F $OBJ/ssh_config -J jump-host target-host echo "SUCCESS" 2>/dev/null`
+if [ "$res" != "SUCCESS" ]; then
+	fail "functional test failed: expected SUCCESS, got $res"
+fi
+diff --color -ruNp a/ssh.c b/ssh.c
+--- a/ssh.c	2026-04-15 13:31:07.820492902 +0200
+++ b/ssh.c	2026-04-15 13:31:40.933136324 +0200
+@@ -576,43 +576,6 @@ set_addrinfo_port(struct addrinfo *addrs
+ 	}
+ }
+ 
+-static int
+-valid_hostname(const char *s)
+-{
+-	size_t i;
+-
+-	if (*s == '-')
+-		return 0;
+-	for (i = 0; s[i] != 0; i++) {
+-		if (strchr("'`\"$\\;&<>|(){}", s[i]) != NULL ||
+-		    isspace((u_char)s[i]) || iscntrl((u_char)s[i]))
+-			return 0;
+-	}
+-	return 1;
+-}
+-
+-static int
+-valid_ruser(const char *s)
+-{
+-	size_t i;
+-
+-	if (*s == '-')
+-		return 0;
+-	for (i = 0; s[i] != 0; i++) {
+-		if (iscntrl((u_char)s[i]))
+-			return 0;
+-		if (strchr("'`\";&<>|(){}", s[i]) != NULL)
+-			return 0;
+-		/* Disallow '-' after whitespace */
+-		if (isspace((u_char)s[i]) && s[i + 1] == '-')
+-			return 0;
+-		/* Disallow \ in last position */
+-		if (s[i] == '\\' && s[i + 1] == '\0')
+-			return 0;
+-	}
+-	return 1;
+-}
+-
+ /*
+  * Main program for the ssh client.
+  */
+@@ -842,9 +805,9 @@ main(int ac, char **av)
+ 				fatal("Only a single -J option permitted");
+ 			if (options.proxy_command != NULL)
+ 				fatal("Cannot specify -J with ProxyCommand");
+-			if (parse_jump(optarg, &options, 1) == -1)
+			if (parse_jump(optarg, &options, 1, 1) == -1)
+
+ 				fatal("Invalid -J argument");
+-			options.proxy_command = xstrdup("none");
+ 			break;
+ 		case 't':
+ 			if (options.request_tty == REQUEST_TTY_YES)
+@@ -1085,10 +1048,15 @@ main(int ac, char **av)
+ 	if (!host)
+ 		usage();
+ 
+-	if (!valid_hostname(host))
+-		fatal("hostname contains invalid characters");
+-	if (options.user != NULL && !valid_ruser(options.user))
+	/*
+	 * Validate commandline-specified values that end up in %tokens
+	 * before they are used in config parsing.
+	 */
+	if (options.user != NULL && !ssh_valid_ruser(options.user))
+ 		fatal("remote username contains invalid characters");
+	if (!ssh_valid_hostname(host))
+		fatal("hostname contains invalid characters");
+
+ 	host_arg = xstrdup(host);
+ 
+ 	/* Initialize the command to execute on remote host. */
+@@ -1249,7 +1217,8 @@ main(int ac, char **av)
+ 			sshbin = "ssh";
+ 
+ 		/* Consistency check */
+-		if (options.proxy_command != NULL)
+		if (options.proxy_command != NULL &&
+		    strcasecmp(options.proxy_command, "none") != 0)
+ 			fatal("inconsistent options: ProxyCommand+ProxyJump");
+ 		/* Never use FD passing for ProxyJump */
+ 		options.proxy_use_fdpass = 0;
--- a/SOURCES/openssh-8.0p1-reject-cntrl-chars-in-username.patch
+++ b/SOURCES/openssh-8.0p1-reject-cntrl-chars-in-username.patch
@ -0,0 +1,12 @@
+diff --color -ruNp a/ssh.c b/ssh.c
+--- a/ssh.c	2025-12-10 11:51:34.927545274 +0100
+++ b/ssh.c	2025-12-10 12:05:26.210486999 +0100
+@@ -599,6 +599,8 @@ valid_ruser(const char *s)
+ 	if (*s == '-')
+ 		return 0;
+ 	for (i = 0; s[i] != 0; i++) {
+		if (iscntrl((u_char)s[i]))
+			return 0;
+ 		if (strchr("'`\";&<>|(){}", s[i]) != NULL)
+ 			return 0;
+ 		/* Disallow '-' after whitespace */
--- a/SOURCES/openssh-8.0p1-upstream-ignore-SIGPIPE.patch
+++ b/SOURCES/openssh-8.0p1-upstream-ignore-SIGPIPE.patch
@ -0,0 +1,38 @@
+From d33ff14309e33aa79fdf95e1bc4facafa80b90a9 Mon Sep 17 00:00:00 2001
+From: Stepan Broz <sbroz@redhat.com>
+Date: Tue, 25 Jun 2024 17:38:22 +0200
+Subject: [PATCH] upstream: ignore SIGPIPE earlier in main(), specifically
+ before
+
+muxclient() which performs operations that could cause one; Reported by Noam
+Lewis via bz3454, ok dtucker@
+
+OpenBSD-Commit-ID: 63d8e13276869eebac6d7a05d5a96307f9026e47
+---
+ ssh.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/ssh.c b/ssh.c
+index 786e26d..e037c66 100644
+--- a/ssh.c
+++ b/ssh.c
+@@ -1115,6 +1115,8 @@ main(int ac, char **av)
+ 		}
+ 	}
+ 
+	signal(SIGPIPE, SIG_IGN); /* ignore SIGPIPE early */
+
+ 	/*
+ 	 * Initialize "log" output.  Since we are the client all output
+ 	 * goes to stderr unless otherwise specified by -y or -E.
+@@ -1545,7 +1547,6 @@ main(int ac, char **av)
+ 	    options.num_system_hostfiles);
+ 	tilde_expand_paths(options.user_hostfiles, options.num_user_hostfiles);
+ 
+-	signal(SIGPIPE, SIG_IGN); /* ignore SIGPIPE early */
+ 	signal(SIGCHLD, main_sigchld_handler);
+ 
+ 	/* Log into the remote system.  Never returns if the login fails. */
+-- 
+2.45.2
+
--- a/SOURCES/openssh-8.7p1-authorized-keys-principles-option.patch
+++ b/SOURCES/openssh-8.7p1-authorized-keys-principles-option.patch
@ -0,0 +1,37 @@
+diff --color -ruNp a/auth2-pubkey.c b/auth2-pubkey.c
+--- a/auth2-pubkey.c	2026-04-13 15:13:58.759515611 +0200
+++ b/auth2-pubkey.c	2026-04-13 15:20:28.131029727 +0200
+@@ -329,20 +329,23 @@ user_key_verify(struct ssh *ssh, const s
+ static int
+ match_principals_option(const char *principal_list, struct sshkey_cert *cert)
+ {
+-	char *result;
+	char *list, *olist, *entry;
+ 	u_int i;
+ 
+-	/* XXX percent_expand() sequences for authorized_principals? */
+-
+-	for (i = 0; i < cert->nprincipals; i++) {
+-		if ((result = match_list(cert->principals[i],
+-		    principal_list, NULL)) != NULL) {
+-			debug3("matched principal from key options \"%.100s\"",
+-			    result);
+-			free(result);
+-			return 1;
+	olist = list = xstrdup(principal_list);
+	for (;;) {
+		if ((entry = strsep(&list, ",")) == NULL || *entry == '\0')
+			break;
+		for (i = 0; i < cert->nprincipals; i++) {
+			if (strcmp(entry, cert->principals[i]) == 0) {
+				debug3("matched principal from key i"
+				    "options \"%.100s\"", entry);
+				free(olist);
+				return 1;
+			}
+ 		}
+ 	}
+	free(olist);
+ 	return 0;
+ }
+ 
--- a/SOURCES/openssh-8.7p1-reject-null-char-in-url-string.patch
+++ b/SOURCES/openssh-8.7p1-reject-null-char-in-url-string.patch
@ -0,0 +1,15 @@
+diff --color -ruNp a/misc.c b/misc.c
+--- a/misc.c	2025-12-09 17:16:21.637368818 +0100
+++ b/misc.c	2025-12-09 17:48:22.679192853 +0100
+@@ -936,9 +936,10 @@ urldecode(const char *src)
+ 			*dst++ = ' ';
+ 			break;
+ 		case '%':
+			/* note: don't allow \0 characters */
+ 			if (!isxdigit((unsigned char)src[1]) ||
+ 			    !isxdigit((unsigned char)src[2]) ||
+-			    (ch = hexchar(src + 1)) == -1) {
+			    (ch = hexchar(src + 1)) == -1 || ch == 0) {
+ 				free(ret);
+ 				return NULL;
+ 			}
--- a/SOURCES/openssh-9.9p1-scp-clear-setuid.patch
+++ b/SOURCES/openssh-9.9p1-scp-clear-setuid.patch
@ -0,0 +1,15 @@
+diff --color -ruNp a/scp.c b/scp.c
+--- a/scp.c	2026-04-07 15:54:11.193730842 +0200
+++ b/scp.c	2026-04-07 15:55:52.529425481 +0200
+@@ -1705,8 +1705,10 @@ sink(int argc, char **argv, const char *
+ 
+ 	setimes = targisdir = 0;
+ 	mask = umask(0);
+-	if (!pflag)
+	if (!pflag) {
+		mask |= 07000;
+ 		(void) umask(mask);
+	}
+ 	if (argc != 1) {
+ 		run_err("ambiguous target");
+ 		exit(1);
--- a/SPECS/openssh.spec
+++ b/SPECS/openssh.spec
@ -66,7 +66,7 @@

 # Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1
 %global openssh_ver 8.0p1
-%global openssh_rel 24
+%global openssh_rel 29
 %global pam_ssh_agent_ver 0.10.3
 %global pam_ssh_agent_rel 7

@ -292,6 +292,27 @@ Patch1018: openssh-9.6p1-CVE-2023-48795.patch
 Patch1019: openssh-9.6p1-CVE-2023-51385.patch
 # SCP kill switch
 Patch1020: openssh-8.7p1-scp-kill-switch.patch
+#upstream commit 96faa0de6c673a2ce84736eba37fc9fb723d9e5c
+Patch1021: openssh-8.0p1-upstream-ignore-SIGPIPE.patch
+#upstream commit 0832aac79517611dd4de93ad0a83577994d9c907
+Patch1022: openssh-8.0p1-CVE-2025-26465.patch
+# upstream 35d5917652106aede47621bb3f64044604164043
+Patch1023: openssh-8.0p1-reject-cntrl-chars-in-username.patch
+# upstream 43b3bff47bb029f2299bacb6a36057981b39fdb0
+Patch1024: openssh-8.7p1-reject-null-char-in-url-string.patch
+# upstream 487e8ac146f7d6616f65c125d5edb210519b833a
+Patch1025: openssh-9.9p1-scp-clear-setuid.patch
+# upstream c805b97b67c774e0bf922ffb29dfbcda9d7b5add
+Patch1026: openssh-8.0p1-mux-askpass-check.patch
+# upstream fd1c7e131f331942d20f42f31e79912d570081fa
+Patch1027: openssh-8.0p1-ecdsa-incomplete-application.patch
+# upstream fd1c7e131f331942d20f42f31e79912d570081fa
+Patch1028: openssh-8.7p1-authorized-keys-principles-option.patch
+# upstream 76685c9b09a66435cd2ad8373246adf1c53976d3
+# upstream 0a0ef4515361143cad21afa072319823854c1cf6
+# upstream 607bd871ec029e9aa22e632a22547250f3cae223
+# upstream 1340d3fa8e4bb122906a82159c4c9b91584d65ce
+Patch1029: openssh-8.0p1-proxyjump-username-validity-checks.patch

 License: BSD
 Group: Applications/Internet
@ -539,6 +560,15 @@ popd
 %patch1018 -p1 -b .cve-2023-48795
 %patch1019 -p1 -b .cve-2023-51385
 %patch1020 -p1 -b .scp-kill-switch
+%patch1021 -p1 -b .ignore-SIGPIPE
+%patch1022 -p2 -b .cve-2025-26465
+%patch1023 -p1 -b .reject-cntrl-chars-in-username
+%patch1024 -p1 -b .reject-null-char-in-url-string
+%patch1025 -p1 -b .scp-clear-setuid
+%patch1026 -p1 -b .mux-askpass-check
+%patch1027 -p1 -b .ecdsa-incomplete-application
+%patch1028 -p1 -b .authorized-keys-principles-option
+%patch1029 -p1 -b .proxyjump-username-validity-checks

 autoreconf
 pushd pam_ssh_agent_auth-%{pam_ssh_agent_ver}
@ -824,6 +854,42 @@ getent passwd sshd >/dev/null || \
 %endif

 %changelog
+* Mon Apr 13 2026 Zoltan Fridrich <zfridric@redhat.com> - 8.0p1-29
+- CVE-2026-35385: Fix privilege escalation via scp legacy protocol
+  when not in preserving file mode
+  Resolves: RHEL-164743
+- CVE-2026-35388: Add connection multiplexing confirmation for proxy-mode
+  multiplexing sessions
+  Resolves: RHEL-166240
+- CVE-2026-35387: Fix incomplete application of PubkeyAcceptedAlgorithms
+  and HostbasedAcceptedAlgorithms with regard to ECDSA keys
+  Resolves: RHEL-166224
+- CVE-2026-35414: Fix mishandling of authorized_keys principals option
+  Resolves: RHEL-166192
+- CVE-2026-35386: Add validation rules to usernames and hostnames
+  set for ProxyJump/-J on the commandline
+  Resolves: RHEL-166208
+
+* Mon Mar 16 2026 Zoltan Fridrich <zfridric@redhat.com> - 8.0p1-28
+- CVE-2026-3497: Fix information disclosure or denial of service due
+  to uninitialized variables in gssapi-keyex
+  Resolves: RHEL-155814
+
+* Wed Dec 10 2025 Zoltan Fridrich <zfridric@redhat.com> - 8.0p1-27
+- CVE-2025-61984: Reject usernames with control characters
+  Resolves: RHEL-128400
+- CVE-2025-61985: Reject URL-strings with NULL characters
+  Resolves: RHEL-128390
+
+* Wed Aug 20 2025 Antonio Vieiro <avieirov@redhat.com> - 8.0p1-26
+- Fix missing invalid error code checks in OpenSSH. It prevents
+  a MITM attack when VerifyHostKeyDNS is on (CVE-2025-26465)
+  Resolves: RHEL-109228
+
+* Tue Jun 25 2024 Stepan Broz <sbroz@redhat.com> - 8.0p1-25
+- Upstream: Ignore SIGPIPE earlier in main()
+  Resolves: RHEL-37743
+
 * Tue Feb 06 2024 Dmitry Belyavskiy <dbelyavs@redhat.com> - 8.0p1-24
 - Providing a kill switch for scp to deal with CVE-2020-15778
  Resolves: RHEL-22870