OpenSSH 10.4 Released with Multiple Security Fixes and New Features

In Cybersecurity News - Original News Source is cybersecuritynews.com by Blog Writer

Spread the love

OpenSSH 10.4 launched on July 6, 2026, delivering a batch of security patches, protocol hardening, and early post-quantum cryptography support, available through mirrors listed on the official OpenSSH site.

OpenSSH 10.4 Security Fixes

The release addresses several vulnerabilities across core utilities. In sftp(1), a flaw allowed malicious servers to redirect downloaded files to unexpected locations during command-line operations like “sftp host:/path .”. scp(1) received a fix preventing malicious servers from writing files outside the intended target directory during remote-to-remote copies.

Additionally, sshd(8) fixes cover a silent truncation bug in “internal-sftp” that could discard security-relevant options beyond the ninth command-line argument, plus corrections to enforce minimum authentication delays that were previously bypassed, as flagged by the Orange Cyberdefense Vulnerability Team.

Other notable patches include resolving a pre-authentication denial-of-service attack tied to GSSAPIAuthentication and fixing a client-side use-after-free in ssh(1) triggered when a server changes its host key mid-session, reported by researcher Zhenpeng (Leo) Lin.

OpenSSH 10.4 introduces potentially incompatible changes to tighten security posture. The transport protocol now disconnects peers that send non-KEX messages during post-authentication key re-exchange, closing a gap that previously let malicious peers exhaust memory through buffered messages.

On Linux, seccomp sandbox failures are now fatal rather than merely logged, forcing systems lacking these kernel features to disable sandboxing explicitly at build time. The sshd -G configuration dump mode also switches to mixed-case directive output, a cosmetic but breaking change for automation scripts.

The headline addition is experimental support for a composite post-quantum signature scheme combining ML-DSA 44 and Ed25519, following the draft-miller-sshm-mldsa44-ed25519-composite-sigs specification; it’s not enabled by default and requires explicit configuration plus keys generated via “ssh-keygen -t mldsa44-ed25519”.

Separately, ssh(1) and sshd(8) now use an NFA-based wildcard pattern matcher, eliminating exponential worst-case performance issues in the previous implementation.

Numerous bug fixes round out the release, including corrections to FIDO token key downloads, out-of-bounds read fixes in sftp(1), a major refactor of sshd_config parsing for cleaner privilege-separation serialization, and improved bounds checking in cryptographic signing code.

Portability updates sync fmt_scaled.c and getrrsetbyname.c with OpenBSD upstream and patch several memory leaks on error paths.

Source packages are available as openssh-10.4.tar.gz and openssh-10.4p1.tar.gz, both verifiable via SHA1 and base64-encoded SHA256 checksums, with signing keys distributed through official mirror sites.

 Strengthen Your SOC by Accelerating Threat Detection & Rapid Investigations. -> Integrate ANY.RUN With Your SOC Now.