import CS git openssh-8.0p1-28.el8_10

SOURCES/openssh-8.0p1-CVE-2025-26465.patch

@@ -1,9 +1,8 @@
-Description: fix MitM with VerifyHostKeyDNS option
+diff --git a/openssh-8.0p1/krl.c b/openssh-8.0p1/krl.c
-Origin: backported from patch provided by upstream to Qualys
+index 8e2d5d5..e5b046d 100644
-
+--- a/openssh-8.0p1/krl.c
---- a/krl.c
++++ b/openssh-8.0p1/krl.c
-+++ b/krl.c
+@@ -676,6 +676,7 @@ revoked_certs_generate(struct revoked_certs *rc, struct sshbuf *buf)
-@@ -677,6 +677,7 @@ revoked_certs_generate(struct revoked_ce
  			break;
  		case KRL_SECTION_CERT_SERIAL_BITMAP:
  			if (rs->lo - bitmap_start > INT_MAX) {
@@ -11,7 +10,7 @@ Origin: backported from patch provided by upstream to Qualys
  				error("%s: insane bitmap gap", __func__);
  				goto out;
  			}
-@@ -1012,6 +1013,7 @@ ssh_krl_from_blob(struct sshbuf *buf, st
+@@ -1011,6 +1012,7 @@ ssh_krl_from_blob(struct sshbuf *buf, struct ssh_krl **krlp,
  		goto out;
  
  	if ((krl = ssh_krl_init()) == NULL) {
@@ -19,8 +18,10 @@ Origin: backported from patch provided by upstream to Qualys
  		error("%s: alloc failed", __func__);
  		goto out;
  	}
---- a/sshconnect2.c
+diff --git a/openssh-8.0p1/sshconnect2.c b/openssh-8.0p1/sshconnect2.c
-+++ b/sshconnect2.c
+index ce855eb..9650b24 100644
+--- a/openssh-8.0p1/sshconnect2.c
++++ b/openssh-8.0p1/sshconnect2.c
 @@ -95,7 +95,7 @@ struct sockaddr *xxx_hostaddr;
  static int
  verify_host_key_callback(struct sshkey *hostkey, struct ssh *ssh)
@@ -30,7 +31,7 @@ Origin: backported from patch provided by upstream to Qualys
  		fatal("Host key verification failed.");
  	return 0;
  }
-@@ -756,6 +756,7 @@ input_userauth_pk_ok(int type, u_int32_t
+@@ -767,6 +767,7 @@ input_userauth_pk_ok(int type, u_int32_t seq, struct ssh *ssh)
  
  	if ((pktype = sshkey_type_from_name(pkalg)) == KEY_UNSPEC) {
  		debug("%s: server sent unknown pkalg %s", __func__, pkalg);
@@ -38,7 +39,7 @@ Origin: backported from patch provided by upstream to Qualys
  		goto done;
  	}
  	if ((r = sshkey_from_blob(pkblob, blen, &key)) != 0) {
-@@ -766,6 +767,7 @@ input_userauth_pk_ok(int type, u_int32_t
+@@ -777,6 +778,7 @@ input_userauth_pk_ok(int type, u_int32_t seq, struct ssh *ssh)
  		error("input_userauth_pk_ok: type mismatch "
  		    "for decoded key (received %d, expected %d)",
  		    key->type, pktype);
@@ -46,7 +47,7 @@ Origin: backported from patch provided by upstream to Qualys
  		goto done;
  	}
  
-@@ -785,6 +787,7 @@ input_userauth_pk_ok(int type, u_int32_t
+@@ -796,6 +798,7 @@ input_userauth_pk_ok(int type, u_int32_t seq, struct ssh *ssh)
  		    SSH_FP_DEFAULT);
  		error("%s: server replied with unknown key: %s %s", __func__,
  		    sshkey_type(key), fp == NULL ? "<ERROR>" : fp);

SOURCES/openssh-8.0p1-gssapi-keyex.patch

@@ -1504,11 +1504,9 @@ index 2abbb9ef..569dc83f 100644
  kex_gen_hash(
      int hash_alg,
      const struct sshbuf *client_version,
-diff --git a/kexgssc.c b/kexgssc.c
+diff --color -ruNp a/kexgssc.c b/kexgssc.c
-new file mode 100644
+--- a/kexgssc.c	1970-01-01 01:00:00.000000000 +0100
-index 00000000..0b2f6a56
++++ b/kexgssc.c	2026-03-16 15:43:01.131354176 +0100
---- /dev/null
-+++ b/kexgssc.c
 @@ -0,0 +1,618 @@
 +/*
 + * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved.
@@ -1564,8 +1562,8 @@ index 00000000..0b2f6a56
 +{
 +	struct kex *kex = ssh->kex;
 +	gss_buffer_desc send_tok = GSS_C_EMPTY_BUFFER,
-+	    recv_tok = GSS_C_EMPTY_BUFFER,
++	    recv_tok = GSS_C_EMPTY_BUFFER, gssbuf = GSS_C_EMPTY_BUFFER,
-+	    gssbuf, msg_tok = GSS_C_EMPTY_BUFFER, *token_ptr;
++	    msg_tok = GSS_C_EMPTY_BUFFER, *token_ptr;
 +	Gssctxt *ctxt;
 +	OM_uint32 maj_status, min_status, ret_flags;
 +	struct sshbuf *server_blob = NULL;
@@ -1717,11 +1715,11 @@ index 00000000..0b2f6a56
 +						fatal("Failed to read token: %s", ssh_err(r));
 +					/* If we're already complete - protocol error */
 +					if (maj_status == GSS_S_COMPLETE)
-+						sshpkt_disconnect(ssh, "Protocol error: received token when complete");
++						ssh_packet_disconnect(ssh, "Protocol error: received token when complete");
 +				} else {
 +					/* No token included */
 +					if (maj_status != GSS_S_COMPLETE)
-+						sshpkt_disconnect(ssh, "Protocol error: did not receive final token");
++						ssh_packet_disconnect(ssh, "Protocol error: did not receive final token");
 +				}
 +				if ((r = sshpkt_get_end(ssh)) != 0) {
 +					fatal("Expecting end of packet.");
@@ -1737,7 +1735,7 @@ index 00000000..0b2f6a56
 +					fatal("sshpkt_get failed: %s", ssh_err(r));
 +				fatal("GSSAPI Error: \n%.400s", msg);
 +			default:
-+				sshpkt_disconnect(ssh, "Protocol error: didn't expect packet type %d",
++				ssh_packet_disconnect(ssh, "Protocol error: didn't expect packet type %d",
 +				    type);
 +			}
 +			token_ptr = &recv_tok;
@@ -1810,7 +1808,7 @@ index 00000000..0b2f6a56
 +
 +	/* Verify that the hash matches the MIC we just got. */
 +	if (GSS_ERROR(ssh_gssapi_checkmic(ctxt, &gssbuf, &msg_tok)))
-+		sshpkt_disconnect(ssh, "Hash's MIC didn't verify");
++		ssh_packet_disconnect(ssh, "Hash's MIC didn't verify");
 +
 +	gss_release_buffer(&min_status, &msg_tok);
 +
@@ -1842,8 +1840,8 @@ index 00000000..0b2f6a56
 +{
 +	struct kex *kex = ssh->kex;
 +	gss_buffer_desc send_tok = GSS_C_EMPTY_BUFFER,
-+	    recv_tok = GSS_C_EMPTY_BUFFER, gssbuf,
++	    recv_tok = GSS_C_EMPTY_BUFFER, gssbuf = GSS_C_EMPTY_BUFFER,
-+            msg_tok = GSS_C_EMPTY_BUFFER, *token_ptr;
++	    msg_tok = GSS_C_EMPTY_BUFFER, *token_ptr;
 +	Gssctxt *ctxt;
 +	OM_uint32 maj_status, min_status, ret_flags;
 +	struct sshbuf *shared_secret = NULL;
@@ -2014,11 +2012,11 @@ index 00000000..0b2f6a56
 +						fatal("sshpkt failed: %s", ssh_err(r));
 +					/* If we're already complete - protocol error */
 +					if (maj_status == GSS_S_COMPLETE)
-+						sshpkt_disconnect(ssh, "Protocol error: received token when complete");
++						ssh_packet_disconnect(ssh, "Protocol error: received token when complete");
 +				} else {
 +					/* No token included */
 +					if (maj_status != GSS_S_COMPLETE)
-+						sshpkt_disconnect(ssh, "Protocol error: did not receive final token");
++						ssh_packet_disconnect(ssh, "Protocol error: did not receive final token");
 +				}
 +				break;
 +			case SSH2_MSG_KEXGSS_ERROR:
@@ -2031,7 +2029,7 @@ index 00000000..0b2f6a56
 +					fatal("sshpkt failed: %s", ssh_err(r));
 +				fatal("GSSAPI Error: \n%.400s", msg);
 +			default:
-+				sshpkt_disconnect(ssh, "Protocol error: didn't expect packet type %d",
++				ssh_packet_disconnect(ssh, "Protocol error: didn't expect packet type %d",
 +				    type);
 +			}
 +			token_ptr = &recv_tok;
@@ -2093,7 +2091,7 @@ index 00000000..0b2f6a56
 +
 +	/* Verify that the hash matches the MIC we just got. */
 +	if (GSS_ERROR(ssh_gssapi_checkmic(ctxt, &gssbuf, &msg_tok)))
-+		sshpkt_disconnect(ssh, "Hash's MIC didn't verify");
++		ssh_packet_disconnect(ssh, "Hash's MIC didn't verify");
 +
 +	gss_release_buffer(&min_status, &msg_tok);
 +
@@ -2128,11 +2126,9 @@ index 00000000..0b2f6a56
 +	return r;
 +}
 +#endif /* defined(GSSAPI) && defined(WITH_OPENSSL) */
-diff --git a/kexgsss.c b/kexgsss.c
+diff --color -ruNp a/kexgsss.c b/kexgsss.c
-new file mode 100644
+--- a/kexgsss.c	1970-01-01 01:00:00.000000000 +0100
-index 00000000..60bc02de
++++ b/kexgsss.c	2026-03-16 15:45:31.256395698 +0100
---- /dev/null
-+++ b/kexgsss.c
 @@ -0,0 +1,482 @@
 +/*
 + * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved.
@@ -2200,7 +2196,8 @@ index 00000000..60bc02de
 +	 */
 +
 +	OM_uint32 ret_flags = 0;
-+	gss_buffer_desc gssbuf = {0, NULL}, recv_tok, msg_tok;
++	gss_buffer_desc gssbuf = GSS_C_EMPTY_BUFFER,
++	    recv_tok = GSS_C_EMPTY_BUFFER, msg_tok = GSS_C_EMPTY_BUFFER;
 +	gss_buffer_desc send_tok = GSS_C_EMPTY_BUFFER;
 +	Gssctxt *ctxt = NULL;
 +	struct sshbuf *shared_secret = NULL;
@@ -2304,7 +2301,7 @@ index 00000000..60bc02de
 +				fatal("sshpkt failed: %s", ssh_err(r));
 +			break;
 +		default:
-+			sshpkt_disconnect(ssh,
++			ssh_packet_disconnect(ssh,
 +			    "Protocol error: didn't expect packet type %d",
 +			    type);
 +		}
@@ -2403,7 +2400,8 @@ index 00000000..60bc02de
 +	 */
 +
 +	OM_uint32 ret_flags = 0;
-+	gss_buffer_desc gssbuf, recv_tok, msg_tok;
++	gss_buffer_desc gssbuf = GSS_C_EMPTY_BUFFER,
++	    recv_tok = GSS_C_EMPTY_BUFFER, msg_tok = GSS_C_EMPTY_BUFFER;
 +	gss_buffer_desc send_tok = GSS_C_EMPTY_BUFFER;
 +	Gssctxt *ctxt = NULL;
 +	struct sshbuf *shared_secret = NULL;
@@ -2459,10 +2457,8 @@ index 00000000..60bc02de
 +		fatal("GSS_GEX, bad parameters: %d !< %d !< %d",
 +		    min, nbits, max);
 +	kex->dh = PRIVSEP(choose_dh(min, nbits, max));
-+	if (kex->dh == NULL) {
++	if (kex->dh == NULL)
-+		sshpkt_disconnect(ssh, "Protocol error: no matching group found");
++		ssh_packet_disconnect(ssh, "Protocol error: no matching group found");
-+		fatal("Protocol error: no matching group found");
-+	}
 +
 +	DH_get0_pqg(kex->dh, &dh_p, NULL, &dh_g);
 +	if ((r = sshpkt_start(ssh, SSH2_MSG_KEXGSS_GROUP)) != 0 ||
@@ -2500,7 +2496,7 @@ index 00000000..60bc02de
 +				fatal("sshpkt failed: %s", ssh_err(r));
 +			break;
 +		default:
-+			sshpkt_disconnect(ssh,
++			ssh_packet_disconnect(ssh,
 +			    "Protocol error: didn't expect packet type %d",
 +			    type);
 +		}

SOURCES/openssh-8.0p1-reject-cntrl-chars-in-username.patch

@@ -0,0 +1,12 @@
+diff --color -ruNp a/ssh.c b/ssh.c
+--- a/ssh.c	2025-12-10 11:51:34.927545274 +0100
++++ b/ssh.c	2025-12-10 12:05:26.210486999 +0100
+@@ -599,6 +599,8 @@ valid_ruser(const char *s)
+ 	if (*s == '-')
+ 		return 0;
+ 	for (i = 0; s[i] != 0; i++) {
++		if (iscntrl((u_char)s[i]))
++			return 0;
+ 		if (strchr("'`\";&<>|(){}", s[i]) != NULL)
+ 			return 0;
+ 		/* Disallow '-' after whitespace */

SOURCES/openssh-8.7p1-reject-null-char-in-url-string.patch

@@ -0,0 +1,15 @@
+diff --color -ruNp a/misc.c b/misc.c
+--- a/misc.c	2025-12-09 17:16:21.637368818 +0100
++++ b/misc.c	2025-12-09 17:48:22.679192853 +0100
+@@ -936,9 +936,10 @@ urldecode(const char *src)
+ 			*dst++ = ' ';
+ 			break;
+ 		case '%':
++			/* note: don't allow \0 characters */
+ 			if (!isxdigit((unsigned char)src[1]) ||
+ 			    !isxdigit((unsigned char)src[2]) ||
+-			    (ch = hexchar(src + 1)) == -1) {
++			    (ch = hexchar(src + 1)) == -1 || ch == 0) {
+ 				free(ret);
+ 				return NULL;
+ 			}

SPECS/openssh.spec

@@ -66,14 +66,14 @@
 
 # Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1
 %global openssh_ver 8.0p1
-%global openssh_rel 25
+%global openssh_rel 28
 %global pam_ssh_agent_ver 0.10.3
 %global pam_ssh_agent_rel 7
 
 Summary: An open source implementation of SSH protocol version 2
 Name: openssh
 Version: %{openssh_ver}
-Release: %{openssh_rel}%{?dist}%{?rescue_rel}.alma.1
+Release: %{openssh_rel}%{?dist}%{?rescue_rel}
 URL: http://www.openssh.com/portable.html
 #URL1: http://pamsshagentauth.sourceforge.net
 Source0: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz
@@ -294,9 +294,12 @@ Patch1019: openssh-9.6p1-CVE-2023-51385.patch
 Patch1020: openssh-8.7p1-scp-kill-switch.patch
 #upstream commit 96faa0de6c673a2ce84736eba37fc9fb723d9e5c
 Patch1021: openssh-8.0p1-upstream-ignore-SIGPIPE.patch
-# upstream commit 6ce00f0c2ecbb9f75023dbe627ee6460bcec78c2
+#upstream commit 0832aac79517611dd4de93ad0a83577994d9c907
-# upstream commit 0832aac79517611dd4de93ad0a83577994d9c907
+Patch1022: openssh-8.0p1-CVE-2025-26465.patch
-Patch1022: openssh-9.9p2-CVE-2025-26465.patch
+# upstream 35d5917652106aede47621bb3f64044604164043
+Patch1023: openssh-8.0p1-reject-cntrl-chars-in-username.patch
+# upstream 43b3bff47bb029f2299bacb6a36057981b39fdb0
+Patch1024: openssh-8.7p1-reject-null-char-in-url-string.patch
 
 License: BSD
 Group: Applications/Internet
@@ -389,7 +392,7 @@ Requires: openssh = %{version}-%{release}
 Summary: PAM module for authentication with ssh-agent
 Group: System Environment/Base
 Version: %{pam_ssh_agent_ver}
-Release: %{pam_ssh_agent_rel}.%{openssh_rel}%{?dist}%{?rescue_rel}.alma.1
+Release: %{pam_ssh_agent_rel}.%{openssh_rel}%{?dist}%{?rescue_rel}
 License: BSD
 
 %description
@@ -545,8 +548,9 @@ popd
 %patch1019 -p1 -b .cve-2023-51385
 %patch1020 -p1 -b .scp-kill-switch
 %patch1021 -p1 -b .ignore-SIGPIPE
-
+%patch1022 -p2 -b .cve-2025-26465
-%patch1022 -p1 -b .cve-2025-26465
+%patch1023 -p1 -b .reject-cntrl-chars-in-username
+%patch1024 -p1 -b .reject-null-char-in-url-string
 
 autoreconf
 pushd pam_ssh_agent_auth-%{pam_ssh_agent_ver}
@@ -832,11 +836,21 @@ getent passwd sshd >/dev/null || \
 %endif
 
 %changelog
-* Wed Feb 19 2025 Andrew Lukoshko <alukoshko@almalinux.org> - 8.0p1-25.alma.1
+* Mon Mar 16 2026 Zoltan Fridrich <zfridric@redhat.com> - 8.0p1-28
-- Fix missing error codes set and invalid error code checks in OpenSSH. It
+- CVE-2026-3497: Fix information disclosure or denial of service due
-  prevents memory exhaustion attack and a MITM attack when VerifyHostKeyDNS
+  to uninitialized variables in gssapi-keyex
-  is on (CVE-2025-26465).
+  Resolves: RHEL-155814
-  Resolves: RHEL-78700
+
+* Wed Dec 10 2025 Zoltan Fridrich <zfridric@redhat.com> - 8.0p1-27
+- CVE-2025-61984: Reject usernames with control characters
+  Resolves: RHEL-128400
+- CVE-2025-61985: Reject URL-strings with NULL characters
+  Resolves: RHEL-128390
+
+* Wed Aug 20 2025 Antonio Vieiro <avieirov@redhat.com> - 8.0p1-26
+- Fix missing invalid error code checks in OpenSSH. It prevents
+  a MITM attack when VerifyHostKeyDNS is on (CVE-2025-26465)
+  Resolves: RHEL-109228
 
 * Tue Jun 25 2024 Stepan Broz <sbroz@redhat.com> - 8.0p1-25
 - Upstream: Ignore SIGPIPE earlier in main()