debcrafters-packages team mailing list archive

Thread
Date

[Bug 2129742] Re: CVE-2025-61984 could lead to code execution

To: debcrafters-packages@xxxxxxxxxxxxxxxxxxx
From: Abhinav MS <2129742@xxxxxxxxxxxxxxxxxx>
Date: Fri, 24 Oct 2025 11:32:42 -0000
Reply-to: Bug 2129742 <2129742@xxxxxxxxxxxxxxxxxx>
Sender: noreply@xxxxxxxxxxxxx

Got it. Thanks for the info!
Yes, we can make this bug public.

** Information type changed from Private Security to Public

-- 
You received this bug notification because you are a member of
Debcrafters packages, which is subscribed to openssh in Ubuntu.
https://bugs.launchpad.net/bugs/2129742

Title:
  CVE-2025-61984 could lead to code execution

Status in openssh package in Ubuntu:
  New

Bug description:
  ssh in OpenSSH before 10.1 allows control characters in usernames that
  originate from certain possibly untrusted sources, potentially leading
  to code execution when a ProxyCommand is used. The untrusted sources
  are the command line and %-sequence expansion of a configuration file.
  (A configuration file that provides a complete literal username is not
  categorized as an untrusted source.)

  https://ubuntu.com/security/CVE-2025-61984

  When would the fix be released for this CVE, as it is a code execution
  vulnerability?

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/2129742/+subscriptions