11.1

Both of them are fixed as part of May 2025 MPP. Please check the NEW_CVE_info-v11.1-Debian-x86_64-2025-05-26 file for May MPP.

openssh-sftp-server_1%3a9.2p1-2+deb12u6_amd64.deb
  * CVE-2025-32728: sshd(8): fix the DisableForwarding directive, which was
  * CVE-2025-26465: Fix MitM in verify_host_key_callback.
    - [CVE-2023-28531] ssh-add(1): when adding smartcard keys to
    - [CVE-2023-48795] ssh(1), sshd(8): implement protocol extensions to
    - [CVE-2023-51384] ssh-agent(1): when adding PKCS#11-hosted private keys
    - [CVE-2023-51385] ssh(1): if an invalid user or hostname that contained
    - [CVE-2023-38408] Fix a condition where specific libraries loaded via
    - CVE-2021-41617 (closes: #995130): sshd(8) from OpenSSH 6.2 through 8.7