Security Improvements and Vulnerability Patches
The OpenSSH project released version 10.4 on July 6, 2026, addressing several security vulnerabilities across its core components. A flaw in sftp(1) could allow a malicious server to redirect downloaded files to unintended locations during command line operations. The scp(1) utility received a fix to prevent rogue servers from writing files outside the target directory during remote to remote copy operations. The sshd(8) daemon was patched to correct a silent truncation bug in the internal SFTP subsystem that could discard critical security options beyond the ninth command line argument. The Orange Cyberdefense Vulnerability Team contributed fixes that enforce minimum authentication delays which were previously bypassable.
Post Quantum Cryptography and Protocol Hardening
OpenSSH 10.4 introduces experimental support for a composite post quantum signature scheme that combines ML-DSA 44 with Ed25519, following the draft-miller-sshm-mldsa44-ed25519-composite-sigs specification. This feature requires explicit configuration and key generation and is not enabled by default. The transport protocol now disconnects peers sending non key exchange messages during post authentication re exchange, closing a vector that allowed malicious peers to exhaust memory through buffered messages. On Linux systems, seccomp sandbox failures are now treated as fatal errors rather than simple log entries, forcing explicit build time configuration for systems lacking these kernel features.
Source: Cyber Security News
