.fmf/version

@@ -0,0 +1 @@
+1

.gitignore

@@ -1,3 +1,36 @@
-SOURCES/DJM-GPG-KEY.gpg
-SOURCES/openssh-8.0p1.tar.gz
-SOURCES/pam_ssh_agent_auth-0.10.3.tar.bz2
+openssh-5.5p1-noacss.tar.bz2
+pam_ssh_agent_auth-0.9.2.tar.bz2
+/openssh-5.6p1-noacss.tar.bz2
+/pam_ssh_agent_auth-0.9.2.tar.bz2
+/openssh-5.8p1-noacss.tar.bz2
+/openssh-5.8p2-noacss.tar.bz2
+/openssh-5.9p1-noacss.tar.bz2
+/pam_ssh_agent_auth-0.9.3.tar.bz2
+/openssh-6.0p1-noacss.tar.bz2
+/openssh-6.1p1-noacss.tar.bz2
+/openssh-6.2p1.tar.gz
+/openssh-6.2p2.tar.gz
+/openssh-6.3p1.tar.gz
+/openssh-6.4p1.tar.gz
+/openssh-6.6p1.tar.gz
+/openssh-6.7p1.tar.gz
+/openssh-6.8p1.tar.gz
+/openssh-6.9p1.tar.gz
+/openssh-7.0p1.tar.gz
+/openssh-7.1p1.tar.gz
+/openssh-7.1p2.tar.gz
+/pam_ssh_agent_auth-0.10.2.tar.bz2
+/openssh-7.2p1.tar.gz
+/openssh-7.2p2.tar.gz
+/openssh-7.3p1.tar.gz
+/openssh-7.4p1.tar.gz
+/pam_ssh_agent_auth-0.10.3.tar.bz2
+/openssh-7.5p1.tar.gz
+/openssh-7.6p1.tar.gz
+/openssh-7.7p1.tar.gz
+/openssh-7.7p1.tar.gz.asc
+/DJM-GPG-KEY.gpg
+/openssh-7.8p1.tar.gz
+/openssh-7.8p1.tar.gz.asc
+/openssh-8.0p1.tar.gz
+/openssh-8.0p1.tar.gz.asc

.openssh.metadata

@@ -1,3 +0,0 @@
-bed7240bb17840b451b8f8457791c33456814d93 SOURCES/DJM-GPG-KEY.gpg
-756dbb99193f9541c9206a667eaa27b0fa184a4f SOURCES/openssh-8.0p1.tar.gz
-a4482a050fdad1d012427e45799564136708cf6b SOURCES/pam_ssh_agent_auth-0.10.3.tar.bz2

SOURCES/openssh-8.0p1-CVE-2025-26465.patch

@@ -1,57 +0,0 @@
-diff --git a/openssh-8.0p1/krl.c b/openssh-8.0p1/krl.c
-index 8e2d5d5..e5b046d 100644
---- a/openssh-8.0p1/krl.c
-+++ b/openssh-8.0p1/krl.c
-@@ -676,6 +676,7 @@ revoked_certs_generate(struct revoked_certs *rc, struct sshbuf *buf)
- 			break;
- 		case KRL_SECTION_CERT_SERIAL_BITMAP:
- 			if (rs->lo - bitmap_start > INT_MAX) {
-+				r = SSH_ERR_INVALID_FORMAT;
- 				error("%s: insane bitmap gap", __func__);
- 				goto out;
- 			}
-@@ -1011,6 +1012,7 @@ ssh_krl_from_blob(struct sshbuf *buf, struct ssh_krl **krlp,
- 		goto out;
- 
- 	if ((krl = ssh_krl_init()) == NULL) {
-+		r = SSH_ERR_ALLOC_FAIL;
- 		error("%s: alloc failed", __func__);
- 		goto out;
- 	}
-diff --git a/openssh-8.0p1/sshconnect2.c b/openssh-8.0p1/sshconnect2.c
-index ce855eb..9650b24 100644
---- a/openssh-8.0p1/sshconnect2.c
-+++ b/openssh-8.0p1/sshconnect2.c
-@@ -95,7 +95,7 @@ struct sockaddr *xxx_hostaddr;
- static int
- verify_host_key_callback(struct sshkey *hostkey, struct ssh *ssh)
- {
--	if (verify_host_key(xxx_host, xxx_hostaddr, hostkey) == -1)
-+	if (verify_host_key(xxx_host, xxx_hostaddr, hostkey) != 0)
- 		fatal("Host key verification failed.");
- 	return 0;
- }
-@@ -767,6 +767,7 @@ input_userauth_pk_ok(int type, u_int32_t seq, struct ssh *ssh)
- 
- 	if ((pktype = sshkey_type_from_name(pkalg)) == KEY_UNSPEC) {
- 		debug("%s: server sent unknown pkalg %s", __func__, pkalg);
-+		r = SSH_ERR_INVALID_FORMAT;
- 		goto done;
- 	}
- 	if ((r = sshkey_from_blob(pkblob, blen, &key)) != 0) {
-@@ -777,6 +778,7 @@ input_userauth_pk_ok(int type, u_int32_t seq, struct ssh *ssh)
- 		error("input_userauth_pk_ok: type mismatch "
- 		    "for decoded key (received %d, expected %d)",
- 		    key->type, pktype);
-+		r = SSH_ERR_INVALID_FORMAT;
- 		goto done;
- 	}
- 
-@@ -796,6 +798,7 @@ input_userauth_pk_ok(int type, u_int32_t seq, struct ssh *ssh)
- 		    SSH_FP_DEFAULT);
- 		error("%s: server replied with unknown key: %s %s", __func__,
- 		    sshkey_type(key), fp == NULL ? "<ERROR>" : fp);
-+		r = SSH_ERR_INVALID_FORMAT;
- 		goto done;
- 	}
- 	ident = format_identity(id);

SOURCES/openssh-8.0p1-reject-cntrl-chars-in-username.patch

@@ -1,12 +0,0 @@
-diff --color -ruNp a/ssh.c b/ssh.c
---- a/ssh.c	2025-12-10 11:51:34.927545274 +0100
-+++ b/ssh.c	2025-12-10 12:05:26.210486999 +0100
-@@ -599,6 +599,8 @@ valid_ruser(const char *s)
- 	if (*s == '-')
- 		return 0;
- 	for (i = 0; s[i] != 0; i++) {
-+		if (iscntrl((u_char)s[i]))
-+			return 0;
- 		if (strchr("'`\";&<>|(){}", s[i]) != NULL)
- 			return 0;
- 		/* Disallow '-' after whitespace */

SOURCES/openssh-8.0p1.tar.gz.asc

@@ -1,14 +0,0 @@
------BEGIN PGP SIGNATURE-----
-
-iQHDBAABCgAdFiEEWcIRjtIG2SfmZ+vj0+X1a22SDTAFAly3ro8ACgkQ0+X1a22S
-DTCAiAx/W9XHoDs5NijyNIP43W2nFYuf6HG1duoLjdJ8rnsC3e90gx8h5RpUUh24
-JDACoUFnbJsNgiQBaYpO7bOnf3Vw5Oui1gPeKnQ76KQsXDwD/N/0wLUf55+XdNJ6
-tcgm6/x1W4b8bWje5bcS3qhxv6t/hSL/OxusA8zoNmnTD5XMg6QtJ0Rp9ZHPriCJ
-C4eCPdHfmyHCr1IATMX9+n5CO5JUPexaDjQug7k/Z1XA/UlwVfRRs1JMpviBodC+
-ZUOuk9tH11RKSBcUeR3Ef4iaR3FchryyyBZUZdYBkmDrnHrYpUK5ifdHT+ZXdzPl
-laX03Kz094LqrP6L3lafk6b1PKOVjKwx1vM5fhnv+pfx4dmao9BwZMuIq6Fa5uMX
-w2oHGhlIDmeT66Yny5d0APn2wCewyYUGPanSZY/HolHAPs+doOBgI361kMAR9J3e
-Ii3VKhIdE8i4K3fC19uDkf7xL8UVvRVXjgM7i+GNndh1ou/vDYxmEAsW9IR/D3XC
-HM/jMdq+UewAiRG46aI5rsi/A8J8/A==
-=YtoH
------END PGP SIGNATURE-----

SOURCES/openssh-8.7p1-reject-null-char-in-url-string.patch

@@ -1,15 +0,0 @@
-diff --color -ruNp a/misc.c b/misc.c
---- a/misc.c	2025-12-09 17:16:21.637368818 +0100
-+++ b/misc.c	2025-12-09 17:48:22.679192853 +0100
-@@ -936,9 +936,10 @@ urldecode(const char *src)
- 			*dst++ = ' ';
- 			break;
- 		case '%':
-+			/* note: don't allow \0 characters */
- 			if (!isxdigit((unsigned char)src[1]) ||
- 			    !isxdigit((unsigned char)src[2]) ||
--			    (ch = hexchar(src + 1)) == -1) {
-+			    (ch = hexchar(src + 1)) == -1 || ch == 0) {
- 				free(ret);
- 				return NULL;
- 			}

ci.fmf

@@ -0,0 +1 @@
+resultsdb-testcase: separate

gating.yaml

@@ -0,0 +1,9 @@
+--- !Policy
+product_versions:
+  - rhel-8
+decision_context: osci_compose_gate
+rules:
+  - !PassingTestCaseRule {test_case_name: osci.brew-build./plans/ci/fips-disabled-buildroot-enabled.functional}
+  - !PassingTestCaseRule {test_case_name: osci.brew-build./plans/ci/fips-enabled-buildroot-enabled.functional}
+  - !PassingTestCaseRule {test_case_name: osci.brew-build./plans/ci/fips-disabled-buildroot-disabled.functional}
+  - !PassingTestCaseRule {test_case_name: osci.brew-build./plans/ci/fips-enabled-buildroot-disabled.functional}

openssh-8.0p1-gssapi-keyex.patch

@@ -1504,9 +1504,11 @@ index 2abbb9ef..569dc83f 100644
  kex_gen_hash(
      int hash_alg,
      const struct sshbuf *client_version,
-diff --color -ruNp a/kexgssc.c b/kexgssc.c
---- a/kexgssc.c	1970-01-01 01:00:00.000000000 +0100
-+++ b/kexgssc.c	2026-03-16 15:43:01.131354176 +0100
+diff --git a/kexgssc.c b/kexgssc.c
+new file mode 100644
+index 00000000..0b2f6a56
+--- /dev/null
++++ b/kexgssc.c
 @@ -0,0 +1,618 @@
 +/*
 + * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved.
@@ -1562,8 +1564,8 @@ diff --color -ruNp a/kexgssc.c b/kexgssc.c
 +{
 +	struct kex *kex = ssh->kex;
 +	gss_buffer_desc send_tok = GSS_C_EMPTY_BUFFER,
-+	    recv_tok = GSS_C_EMPTY_BUFFER, gssbuf = GSS_C_EMPTY_BUFFER,
-+	    msg_tok = GSS_C_EMPTY_BUFFER, *token_ptr;
++	    recv_tok = GSS_C_EMPTY_BUFFER,
++	    gssbuf, msg_tok = GSS_C_EMPTY_BUFFER, *token_ptr;
 +	Gssctxt *ctxt;
 +	OM_uint32 maj_status, min_status, ret_flags;
 +	struct sshbuf *server_blob = NULL;
@@ -1715,11 +1717,11 @@ diff --color -ruNp a/kexgssc.c b/kexgssc.c
 +						fatal("Failed to read token: %s", ssh_err(r));
 +					/* If we're already complete - protocol error */
 +					if (maj_status == GSS_S_COMPLETE)
-+						ssh_packet_disconnect(ssh, "Protocol error: received token when complete");
++						sshpkt_disconnect(ssh, "Protocol error: received token when complete");
 +				} else {
 +					/* No token included */
 +					if (maj_status != GSS_S_COMPLETE)
-+						ssh_packet_disconnect(ssh, "Protocol error: did not receive final token");
++						sshpkt_disconnect(ssh, "Protocol error: did not receive final token");
 +				}
 +				if ((r = sshpkt_get_end(ssh)) != 0) {
 +					fatal("Expecting end of packet.");
@@ -1735,7 +1737,7 @@ diff --color -ruNp a/kexgssc.c b/kexgssc.c
 +					fatal("sshpkt_get failed: %s", ssh_err(r));
 +				fatal("GSSAPI Error: \n%.400s", msg);
 +			default:
-+				ssh_packet_disconnect(ssh, "Protocol error: didn't expect packet type %d",
++				sshpkt_disconnect(ssh, "Protocol error: didn't expect packet type %d",
 +				    type);
 +			}
 +			token_ptr = &recv_tok;
@@ -1808,7 +1810,7 @@ diff --color -ruNp a/kexgssc.c b/kexgssc.c
 +
 +	/* Verify that the hash matches the MIC we just got. */
 +	if (GSS_ERROR(ssh_gssapi_checkmic(ctxt, &gssbuf, &msg_tok)))
-+		ssh_packet_disconnect(ssh, "Hash's MIC didn't verify");
++		sshpkt_disconnect(ssh, "Hash's MIC didn't verify");
 +
 +	gss_release_buffer(&min_status, &msg_tok);
 +
@@ -1840,8 +1842,8 @@ diff --color -ruNp a/kexgssc.c b/kexgssc.c
 +{
 +	struct kex *kex = ssh->kex;
 +	gss_buffer_desc send_tok = GSS_C_EMPTY_BUFFER,
-+	    recv_tok = GSS_C_EMPTY_BUFFER, gssbuf = GSS_C_EMPTY_BUFFER,
-+	    msg_tok = GSS_C_EMPTY_BUFFER, *token_ptr;
++	    recv_tok = GSS_C_EMPTY_BUFFER, gssbuf,
++            msg_tok = GSS_C_EMPTY_BUFFER, *token_ptr;
 +	Gssctxt *ctxt;
 +	OM_uint32 maj_status, min_status, ret_flags;
 +	struct sshbuf *shared_secret = NULL;
@@ -2012,11 +2014,11 @@ diff --color -ruNp a/kexgssc.c b/kexgssc.c
 +						fatal("sshpkt failed: %s", ssh_err(r));
 +					/* If we're already complete - protocol error */
 +					if (maj_status == GSS_S_COMPLETE)
-+						ssh_packet_disconnect(ssh, "Protocol error: received token when complete");
++						sshpkt_disconnect(ssh, "Protocol error: received token when complete");
 +				} else {
 +					/* No token included */
 +					if (maj_status != GSS_S_COMPLETE)
-+						ssh_packet_disconnect(ssh, "Protocol error: did not receive final token");
++						sshpkt_disconnect(ssh, "Protocol error: did not receive final token");
 +				}
 +				break;
 +			case SSH2_MSG_KEXGSS_ERROR:
@@ -2029,7 +2031,7 @@ diff --color -ruNp a/kexgssc.c b/kexgssc.c
 +					fatal("sshpkt failed: %s", ssh_err(r));
 +				fatal("GSSAPI Error: \n%.400s", msg);
 +			default:
-+				ssh_packet_disconnect(ssh, "Protocol error: didn't expect packet type %d",
++				sshpkt_disconnect(ssh, "Protocol error: didn't expect packet type %d",
 +				    type);
 +			}
 +			token_ptr = &recv_tok;
@@ -2091,7 +2093,7 @@ diff --color -ruNp a/kexgssc.c b/kexgssc.c
 +
 +	/* Verify that the hash matches the MIC we just got. */
 +	if (GSS_ERROR(ssh_gssapi_checkmic(ctxt, &gssbuf, &msg_tok)))
-+		ssh_packet_disconnect(ssh, "Hash's MIC didn't verify");
++		sshpkt_disconnect(ssh, "Hash's MIC didn't verify");
 +
 +	gss_release_buffer(&min_status, &msg_tok);
 +
@@ -2126,9 +2128,11 @@ diff --color -ruNp a/kexgssc.c b/kexgssc.c
 +	return r;
 +}
 +#endif /* defined(GSSAPI) && defined(WITH_OPENSSL) */
-diff --color -ruNp a/kexgsss.c b/kexgsss.c
---- a/kexgsss.c	1970-01-01 01:00:00.000000000 +0100
-+++ b/kexgsss.c	2026-03-16 15:45:31.256395698 +0100
+diff --git a/kexgsss.c b/kexgsss.c
+new file mode 100644
+index 00000000..60bc02de
+--- /dev/null
++++ b/kexgsss.c
 @@ -0,0 +1,482 @@
 +/*
 + * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved.
@@ -2196,8 +2200,7 @@ diff --color -ruNp a/kexgsss.c b/kexgsss.c
 +	 */
 +
 +	OM_uint32 ret_flags = 0;
-+	gss_buffer_desc gssbuf = GSS_C_EMPTY_BUFFER,
-+	    recv_tok = GSS_C_EMPTY_BUFFER, msg_tok = GSS_C_EMPTY_BUFFER;
++	gss_buffer_desc gssbuf = {0, NULL}, recv_tok, msg_tok;
 +	gss_buffer_desc send_tok = GSS_C_EMPTY_BUFFER;
 +	Gssctxt *ctxt = NULL;
 +	struct sshbuf *shared_secret = NULL;
@@ -2301,7 +2304,7 @@ diff --color -ruNp a/kexgsss.c b/kexgsss.c
 +				fatal("sshpkt failed: %s", ssh_err(r));
 +			break;
 +		default:
-+			ssh_packet_disconnect(ssh,
++			sshpkt_disconnect(ssh,
 +			    "Protocol error: didn't expect packet type %d",
 +			    type);
 +		}
@@ -2400,8 +2403,7 @@ diff --color -ruNp a/kexgsss.c b/kexgsss.c
 +	 */
 +
 +	OM_uint32 ret_flags = 0;
-+	gss_buffer_desc gssbuf = GSS_C_EMPTY_BUFFER,
-+	    recv_tok = GSS_C_EMPTY_BUFFER, msg_tok = GSS_C_EMPTY_BUFFER;
++	gss_buffer_desc gssbuf, recv_tok, msg_tok;
 +	gss_buffer_desc send_tok = GSS_C_EMPTY_BUFFER;
 +	Gssctxt *ctxt = NULL;
 +	struct sshbuf *shared_secret = NULL;
@@ -2457,8 +2459,10 @@ diff --color -ruNp a/kexgsss.c b/kexgsss.c
 +		fatal("GSS_GEX, bad parameters: %d !< %d !< %d",
 +		    min, nbits, max);
 +	kex->dh = PRIVSEP(choose_dh(min, nbits, max));
-+	if (kex->dh == NULL)
-+		ssh_packet_disconnect(ssh, "Protocol error: no matching group found");
++	if (kex->dh == NULL) {
++		sshpkt_disconnect(ssh, "Protocol error: no matching group found");
++		fatal("Protocol error: no matching group found");
++	}
 +
 +	DH_get0_pqg(kex->dh, &dh_p, NULL, &dh_g);
 +	if ((r = sshpkt_start(ssh, SSH2_MSG_KEXGSS_GROUP)) != 0 ||
@@ -2496,7 +2500,7 @@ diff --color -ruNp a/kexgsss.c b/kexgsss.c
 +				fatal("sshpkt failed: %s", ssh_err(r));
 +			break;
 +		default:
-+			ssh_packet_disconnect(ssh,
++			sshpkt_disconnect(ssh,
 +			    "Protocol error: didn't expect packet type %d",
 +			    type);
 +		}

openssh.spec

@@ -66,7 +66,7 @@
 
 # Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1
 %global openssh_ver 8.0p1
-%global openssh_rel 28
+%global openssh_rel 25
 %global pam_ssh_agent_ver 0.10.3
 %global pam_ssh_agent_rel 7
 
@@ -294,12 +294,6 @@ Patch1019: openssh-9.6p1-CVE-2023-51385.patch
 Patch1020: openssh-8.7p1-scp-kill-switch.patch
 #upstream commit 96faa0de6c673a2ce84736eba37fc9fb723d9e5c
 Patch1021: openssh-8.0p1-upstream-ignore-SIGPIPE.patch
-#upstream commit 0832aac79517611dd4de93ad0a83577994d9c907
-Patch1022: openssh-8.0p1-CVE-2025-26465.patch
-# upstream 35d5917652106aede47621bb3f64044604164043
-Patch1023: openssh-8.0p1-reject-cntrl-chars-in-username.patch
-# upstream 43b3bff47bb029f2299bacb6a36057981b39fdb0
-Patch1024: openssh-8.7p1-reject-null-char-in-url-string.patch
 
 License: BSD
 Group: Applications/Internet
@@ -548,9 +542,6 @@ popd
 %patch1019 -p1 -b .cve-2023-51385
 %patch1020 -p1 -b .scp-kill-switch
 %patch1021 -p1 -b .ignore-SIGPIPE
-%patch1022 -p2 -b .cve-2025-26465
-%patch1023 -p1 -b .reject-cntrl-chars-in-username
-%patch1024 -p1 -b .reject-null-char-in-url-string
 
 autoreconf
 pushd pam_ssh_agent_auth-%{pam_ssh_agent_ver}
@@ -836,22 +827,6 @@ getent passwd sshd >/dev/null || \
 %endif
 
 %changelog
-* Mon Mar 16 2026 Zoltan Fridrich <zfridric@redhat.com> - 8.0p1-28
-- CVE-2026-3497: Fix information disclosure or denial of service due
-  to uninitialized variables in gssapi-keyex
-  Resolves: RHEL-155814
-
-* Wed Dec 10 2025 Zoltan Fridrich <zfridric@redhat.com> - 8.0p1-27
-- CVE-2025-61984: Reject usernames with control characters
-  Resolves: RHEL-128400
-- CVE-2025-61985: Reject URL-strings with NULL characters
-  Resolves: RHEL-128390
-
-* Wed Aug 20 2025 Antonio Vieiro <avieirov@redhat.com> - 8.0p1-26
-- Fix missing invalid error code checks in OpenSSH. It prevents
-  a MITM attack when VerifyHostKeyDNS is on (CVE-2025-26465)
-  Resolves: RHEL-109228
-
 * Tue Jun 25 2024 Stepan Broz <sbroz@redhat.com> - 8.0p1-25
 - Upstream: Ignore SIGPIPE earlier in main()
   Resolves: RHEL-37743

plans/ci.fmf

@@ -0,0 +1,23 @@
+/fips-disabled-buildroot-enabled:
+  plan:
+    import:
+      url: https://pkgs.devel.redhat.com/git/tests/openssh
+      name: /Plans/ci/fips-disabled-buildroot-enabled
+
+/fips-enabled-buildroot-enabled:
+  plan:
+    import:
+      url: https://pkgs.devel.redhat.com/git/tests/openssh
+      name: /Plans/ci/fips-enabled-buildroot-enabled
+
+/fips-disabled-buildroot-disabled:
+  plan:
+    import:
+      url: https://pkgs.devel.redhat.com/git/tests/openssh
+      name: /Plans/ci/fips-disabled-buildroot-disabled
+
+/fips-enabled-buildroot-disabled:
+  plan:
+    import:
+      url: https://pkgs.devel.redhat.com/git/tests/openssh
+      name: /Plans/ci/fips-enabled-buildroot-disabled

sources

@@ -0,0 +1,4 @@
+SHA512 (openssh-8.0p1.tar.gz) = e280fa2d56f550efd37c5d2477670326261aa8b94d991f9eb17aad90e0c6c9c939efa90fe87d33260d0f709485cb05c379f0fd1bd44fc0d5190298b6398c9982
+SHA512 (openssh-8.0p1.tar.gz.asc) = fe9e7383d9467e869762864f2b719165d9a3f2c5316c07067df1d45fc7819bd2cb8ef758454865595688804a4c160dd3d3aaee4c5f887859555d2c7bb8c4592b
+SHA512 (DJM-GPG-KEY.gpg) = db1191ed9b6495999e05eed2ef863fb5179bdb63e94850f192dad68eed8579836f88fbcfffd9f28524fe1457aff8cd248ee3e0afc112c8f609b99a34b80ecc0d
+SHA512 (pam_ssh_agent_auth-0.10.3.tar.bz2) = d75062c4e46b0b011f46aed9704a99049995fea8b5115ff7ee26dad7e93cbcf54a8af7efc6b521109d77dc03c6f5284574d2e1b84c6829cec25610f24fb4bd66