import UBI openssh-8.7p1-47.el9_7

SOURCES/openssh-8.7p1-reject-cntrl-chars-in-username.patch

@@ -0,0 +1,59 @@
+diff --color -ruNp a/ssh.c b/ssh.c
+--- a/ssh.c	2025-12-09 17:16:21.659356384 +0100
++++ b/ssh.c	2025-12-09 17:32:17.419007807 +0100
+@@ -653,6 +653,8 @@ valid_ruser(const char *s)
+ 	if (*s == '-')
+ 		return 0;
+ 	for (i = 0; s[i] != 0; i++) {
++		if (iscntrl((u_char)s[i]))
++			return 0;
+ 		if (strchr("'`\";&<>|(){}", s[i]) != NULL)
+ 			return 0;
+ 		/* Disallow '-' after whitespace */
+@@ -674,6 +676,7 @@ main(int ac, char **av)
+ 	struct ssh *ssh = NULL;
+ 	int i, r, opt, exit_status, use_syslog, direct, timeout_ms;
+ 	int was_addr, config_test = 0, opt_terminated = 0, want_final_pass = 0;
++	int user_on_commandline = 0;
+ 	char *p, *cp, *line, *argv0, *logfile, *host_arg;
+ 	char cname[NI_MAXHOST], thishost[NI_MAXHOST];
+ 	struct stat st;
+@@ -1024,8 +1027,10 @@ main(int ac, char **av)
+ 			}
+ 			break;
+ 		case 'l':
+-			if (options.user == NULL)
++			if (options.user == NULL) {
+ 				options.user = optarg;
++				user_on_commandline = 1;
++			}
+ 			break;
+ 
+ 		case 'L':
+@@ -1128,6 +1133,7 @@ main(int ac, char **av)
+ 			if (options.user == NULL) {
+ 				options.user = tuser;
+ 				tuser = NULL;
++				user_on_commandline = 1;
+ 			}
+ 			free(tuser);
+ 			if (options.port == -1 && tport != -1)
+@@ -1142,6 +1148,7 @@ main(int ac, char **av)
+ 				if (options.user == NULL) {
+ 					options.user = p;
+ 					p = NULL;
++					user_on_commandline = 1;
+ 				}
+ 				*cp++ = '\0';
+ 				host = xstrdup(cp);
+@@ -1435,6 +1442,10 @@ main(int ac, char **av)
+ 	    (unsigned long long)pw->pw_uid);
+ 	cinfo->keyalias = xstrdup(options.host_key_alias ?
+ 	    options.host_key_alias : host_arg);
++
++	if (user_on_commandline && !valid_ruser(options.user))
++		fatal("remote username contains invalid characters");
++
+ 	cinfo->conn_hash_hex = ssh_connection_hash(cinfo->thishost, host,
+ 	    cinfo->portstr, options.user);
+ 	cinfo->host_arg = xstrdup(host_arg);

SOURCES/openssh-8.7p1-reject-null-char-in-url-string.patch

@@ -0,0 +1,15 @@
+diff --color -ruNp a/misc.c b/misc.c
+--- a/misc.c	2025-12-09 17:16:21.637368818 +0100
++++ b/misc.c	2025-12-09 17:48:22.679192853 +0100
+@@ -936,9 +936,10 @@ urldecode(const char *src)
+ 			*dst++ = ' ';
+ 			break;
+ 		case '%':
++			/* note: don't allow \0 characters */
+ 			if (!isxdigit((unsigned char)src[1]) ||
+ 			    !isxdigit((unsigned char)src[2]) ||
+-			    (ch = hexchar(src + 1)) == -1) {
++			    (ch = hexchar(src + 1)) == -1 || ch == 0) {
+ 				free(ret);
+ 				return NULL;
+ 			}

SPECS/openssh.spec

@@ -47,7 +47,7 @@
 
 # Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1
 %global openssh_ver 8.7p1
-%global openssh_rel 46
+%global openssh_rel 47
 %global pam_ssh_agent_ver 0.10.4
 %global pam_ssh_agent_rel 5
 
@@ -300,6 +300,10 @@ Patch1024: openssh-8.7p1-allow-duplicate-subsystem.patch
 # upstream 6ce00f0c2ecbb9f75023dbe627ee6460bcec78c2
 # upstream 0832aac79517611dd4de93ad0a83577994d9c907
 Patch1025: openssh-9.9p2-error_processing.patch
+# upstream 35d5917652106aede47621bb3f64044604164043
+Patch1026: openssh-8.7p1-reject-cntrl-chars-in-username.patch
+# upstream 43b3bff47bb029f2299bacb6a36057981b39fdb0
+Patch1027: openssh-8.7p1-reject-null-char-in-url-string.patch
 
 License: BSD
 Requires: /sbin/nologin
@@ -530,6 +534,8 @@ popd
 %patch1023 -p1 -b .openssl-log
 %patch1024 -p1 -b .allow-dup-subsystem
 %patch1025 -p1 -b .errcode_set
+%patch1026 -p1 -b .reject-cntrl-chars-in-username
+%patch1027 -p1 -b .reject-null-char-in-url-string
 
 autoreconf
 pushd pam_ssh_agent_auth-pam_ssh_agent_auth-%{pam_ssh_agent_ver}
@@ -817,6 +823,12 @@ test -f %{sysconfig_anaconda} && \
 %endif
 
 %changelog
+* Tue Dec 09 2025 Zoltan Fridrich <zfridric@redhat.com> - 8.7p1-47
+- CVE-2025-61984: Reject usernames with control characters
+  Resolves: RHEL-128401
+- CVE-2025-61985: Reject URL-strings with NULL characters
+  Resolves: RHEL-128392
+
 * Mon Jul 21 2025 Zoltan Fridrich <zfridric@redhat.com> - 8.7p1-46
 - Move the redhat help message to debug1 log level
   Resolves: RHEL-104580