HeadlinesBriefing favicon HeadlinesBriefing.com

OpenSSH 10.4 Released with New Security Fixes

Hacker News •
×

OpenSSH cabeza released 10.4 on 2026-07-06. The update is available from the project’s mirrors and continues the 100 % SSH‑protocol 2.0 implementation that bundles sftp client and server.

The new binary introduces potentially incompatible changes: the sshd -G dump now emits mixed‑case directives such as *Pubkey Authentication*; Linux systems with a seccomp sandbox enabled will terminate if SECCOMP or NO_NEW_PRIVS fails, forcing a configure‑time disable; and transport protocol enforcement now drops peers that send non‑KEX messages during post‑authentication re‑exchange, preventing memory exhaustion from malicious traffic.

Security patches address several vectors reported by the Swival Security Scanner and other researchers. SFTP file‑download paths are no longer misdirected, scp no longer writes to parent directories, and internal‑sftp command truncation is fixed. GSSAPI settings are clarified, Permit Tunnel conflicts are resolved, and pre‑auth denial‑of‑service risks from GSSAPIAuthentication are mitigated. New bug fixes tighten memory handling, validate transport state, and correct numerous edge cases.

Notable additions include experimental support for the composite ML-DSA44‑Ed25519 post‑quantum signature scheme and an NFA‑based wildcard matcher that removes exponential worst‑case behaviour. These changes strengthen cryptographic resilience and improve server performance, positioning OpenSSH to meet evolving security demands.