mirror of
https://git.yoctoproject.org/poky
synced 2026-07-16 15:57:04 +00:00
9f461395a8
ssh in OpenSSH before 10.1 allows control characters in usernames that originate from certain possibly untrusted sources, potentially leading to code execution when a ProxyCommand is used. The untrusted sources are the command line and %-sequence expansion of a configuration file. Note: openssh does not support variable expansion until 10.0, so backport adapts for this. Reference: https://nvd.nist.gov/vuln/detail/CVE-2025-61984 Upstream-Status: Backport from https://github.com/openssh/openssh-portable/commit/35d5917652106aede47621bb3f64044604164043 (From OE-Core rev: 7ca0c7a4d17c707658669e255689ecd4183c7e9b) Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>