diff --git a/openssh-9.9p1-reject-cntrl-chars-in-username.patch b/openssh-9.9p1-reject-cntrl-chars-in-username.patch
new file mode 100644
index 0000000..05bbe4d
--- /dev/null
+++ b/openssh-9.9p1-reject-cntrl-chars-in-username.patch
@@ -0,0 +1,59 @@
+diff --color -ruNp a/ssh.c b/ssh.c
+--- a/ssh.c	2025-12-03 15:22:36.754555231 +0100
++++ b/ssh.c	2025-12-03 16:12:16.715320349 +0100
+@@ -662,6 +662,8 @@ valid_ruser(const char *s)
+ 	if (*s == '-')
+ 		return 0;
+ 	for (i = 0; s[i] != 0; i++) {
++		if (iscntrl((u_char)s[i]))
++			return 0;
+ 		if (strchr("'`\";&<>|(){}", s[i]) != NULL)
+ 			return 0;
+ 		/* Disallow '-' after whitespace */
+@@ -683,6 +685,7 @@ main(int ac, char **av)
+ 	struct ssh *ssh = NULL;
+ 	int i, r, opt, exit_status, use_syslog, direct, timeout_ms;
+ 	int was_addr, config_test = 0, opt_terminated = 0, want_final_pass = 0;
++	int user_on_commandline = 0;
+ 	char *p, *cp, *line, *argv0, *logfile;
+ 	char cname[NI_MAXHOST], thishost[NI_MAXHOST];
+ 	struct stat st;
+@@ -1039,8 +1042,10 @@ main(int ac, char **av)
+ 			}
+ 			break;
+ 		case 'l':
+-			if (options.user == NULL)
++			if (options.user == NULL) {
+ 				options.user = optarg;
++				user_on_commandline = 1;
++			}
+ 			break;
+ 
+ 		case 'L':
+@@ -1143,6 +1148,7 @@ main(int ac, char **av)
+ 			if (options.user == NULL) {
+ 				options.user = tuser;
+ 				tuser = NULL;
++				user_on_commandline = 1;
+ 			}
+ 			free(tuser);
+ 			if (options.port == -1 && tport != -1)
+@@ -1157,6 +1163,7 @@ main(int ac, char **av)
+ 				if (options.user == NULL) {
+ 					options.user = p;
+ 					p = NULL;
++					user_on_commandline = 1;
+ 				}
+ 				*cp++ = '\0';
+ 				host = xstrdup(cp);
+@@ -1459,6 +1466,10 @@ main(int ac, char **av)
+ 	cinfo->locuser = xstrdup(pw->pw_name);
+ 	cinfo->jmphost = xstrdup(options.jump_host == NULL ?
+ 	    "" : options.jump_host);
++
++	if (user_on_commandline && !valid_ruser(options.user))
++		fatal("remote username contains invalid characters");
++
+ 	cinfo->conn_hash_hex = ssh_connection_hash(cinfo->thishost,
+ 	    cinfo->remhost, cinfo->portstr, cinfo->remuser, cinfo->jmphost);
+ 
diff --git a/openssh-9.9p1-reject-null-char-in-url-string.patch b/openssh-9.9p1-reject-null-char-in-url-string.patch
new file mode 100644
index 0000000..9b2d378
--- /dev/null
+++ b/openssh-9.9p1-reject-null-char-in-url-string.patch
@@ -0,0 +1,24 @@
+diff --color -ruNp a/misc.c b/misc.c
+--- a/misc.c	2025-12-03 16:19:11.255135131 +0100
++++ b/misc.c	2025-12-03 16:21:53.769590836 +0100
+@@ -998,7 +998,7 @@ urldecode(const char *src)
+ 	size_t srclen;
+ 
+ 	if ((srclen = strlen(src)) >= SIZE_MAX)
+-		fatal_f("input too large");
++		return NULL;
+ 	ret = xmalloc(srclen + 1);
+ 	for (dst = ret; *src != '\0'; src++) {
+ 		switch (*src) {
+@@ -1006,9 +1006,10 @@ urldecode(const char *src)
+ 			*dst++ = ' ';
+ 			break;
+ 		case '%':
++			/* note: don't allow \0 characters */
+ 			if (!isxdigit((unsigned char)src[1]) ||
+ 			    !isxdigit((unsigned char)src[2]) ||
+-			    (ch = hexchar(src + 1)) == -1) {
++			    (ch = hexchar(src + 1)) == -1 || ch == 0) {
+ 				free(ret);
+ 				return NULL;
+ 			}
diff --git a/openssh.spec b/openssh.spec
index 9edead3..a26e1cf 100644
--- a/openssh.spec
+++ b/openssh.spec
@@ -43,7 +43,7 @@
 Summary: An open source implementation of SSH protocol version 2
 Name: openssh
 Version: %{openssh_ver}
-Release: 11%{?dist}.alma.1
+Release: 12%{?dist}.alma.1
 URL: http://www.openssh.com/portable.html
 Source0: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz
 Source1: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz.asc
@@ -214,6 +214,10 @@ Patch1025: openssh-9.9p1-non-supported-keys-err-msg.patch
 Patch1026: openssh-9.9p1-bad-hostkey.patch
 # https://github.com/openssh/openssh-portable/pull/500
 Patch1027: openssh-9.9p1-support-authentication-indicators-in-GSSAPI.patch
+# upstream 35d5917652106aede47621bb3f64044604164043
+Patch1028: openssh-9.9p1-reject-cntrl-chars-in-username.patch
+# upstream 43b3bff47bb029f2299bacb6a36057981b39fdb0
+Patch1029: openssh-9.9p1-reject-null-char-in-url-string.patch
 
 License: BSD-3-Clause AND BSD-2-Clause AND ISC AND SSH-OpenSSH AND ssh-keyscan AND sprintf AND LicenseRef-Fedora-Public-Domain AND X11-distribute-modifications-variant
 Requires: /sbin/nologin
@@ -406,6 +410,8 @@ gpgv2 --quiet --keyring %{SOURCE3} %{SOURCE1} %{SOURCE0}
 %patch -P 1025 -p1 -b .non-supported-keys-err-msg
 %patch -P 1026 -p1 -b .bad-hostkey
 %patch -P 1027 -p1 -b .gss-indicators
+%patch -P 1028 -p1 -b .reject-cntrl-chars-in-username
+%patch -P 1029 -p1 -b .reject-null-char-in-url-string
 
 %patch -P 100 -p1 -b .coverity
 
@@ -686,9 +692,15 @@ test -f %{sysconfig_anaconda} && \
 %attr(0755,root,root) %{_libdir}/sshtest/sk-dummy.so
 
 %changelog
-* Tue Nov 11 2025 Koichiro Iwao <meta@almalinux.org> - 9.9p1-11.alma.1
+* Wed Dec 17 2025 Koichiro Iwao <meta@almalinux.org> - 9.9p1-12.alma.1
 - Unpatch Red Hat help message
 
+* Mon Dec 08 2025 Zoltan Fridrich <zfridric@redhat.com> - 9.9p1-12
+- CVE-2025-61984: Reject usernames with control characters
+  Resolves: RHEL-128397
+- CVE-2025-61985: Reject URL-strings with NULL characters
+  Resolves: RHEL-128387
+
 * Fri Jul 18 2025 Zoltan Fridrich <zfridric@redhat.com> - 9.9p1-11
 - Move the redhat help message to debug1 log level
   Resolves: RHEL-93957