diff --git a/backport-fix-CVE-2025-61984.patch b/backport-fix-CVE-2025-61984.patch
new file mode 100644
index 0000000000000000000000000000000000000000..57b3031e87504736d7c2f0059b3b98be2d0871be
--- /dev/null
+++ b/backport-fix-CVE-2025-61984.patch
@@ -0,0 +1,131 @@
+From 35d5917652106aede47621bb3f64044604164043 Mon Sep 17 00:00:00 2001
+From: "djm@openbsd.org" <djm@openbsd.org>
+Date: Thu, 4 Sep 2025 00:29:09 +0000
+Subject: upstream: Improve rules for %-expansion of username.
+
+Usernames passed on the commandline will no longer be subject to
+% expansion. Some tools invoke ssh with connection information
+(i.e. usernames and host names) supplied from untrusted sources.
+These may contain % expansion sequences which could yield
+unexpected results.
+
+Since openssh-9.6, all usernames have been subject to validity
+checking. This change tightens the validity checks by refusing
+usernames that include control characters (again, these can cause
+surprises when supplied adversarially).
+
+This change also relaxes the validity checks in one small way:
+usernames supplied via the configuration file as literals (i.e.
+include no % expansion characters) are not subject to these
+validity checks. This allows usernames that contain arbitrary
+characters to be used, but only via configuration files. This
+is done on the basis that ssh's configuration is trusted.
+
+Pointed out by David Leadbeater, ok deraadt@
+
+OpenBSD-Commit-ID: e2f0c871fbe664aba30607321575e7c7fc798362
+Conflict:Without feature "Allow %-token and environment variable expansion in User"
+Reference:https://anongit.mindrot.org/openssh.git/patch/?id=35d5917652106aede47621bb3f64044604164043
+---
+ ssh.c | 31 +++++++++++++++++++++++++------
+ 1 file changed, 25 insertions(+), 6 deletions(-)
+
+diff --git a/ssh.c b/ssh.c
+index b3b13ba..d6f37fc 100644
+--- a/ssh.c
++++ b/ssh.c
+@@ -650,6 +650,8 @@ valid_ruser(const char *s)
+ 	if (*s == '-')
+ 		return 0;
+ 	for (i = 0; s[i] != 0; i++) {
++		if (iscntrl((u_char)s[i]))
++			return 0;
+ 		if (strchr("'`\";&<>|(){}", s[i]) != NULL)
+ 			return 0;
+ 		/* Disallow '-' after whitespace */
+@@ -671,6 +673,7 @@ main(int ac, char **av)
+ 	struct ssh *ssh = NULL;
+ 	int i, r, opt, exit_status, use_syslog, direct, timeout_ms;
+ 	int was_addr, config_test = 0, opt_terminated = 0, want_final_pass = 0;
++	int user_on_commandline = 0, user_was_default = 0;
+ 	char *p, *cp, *line, *argv0, *logfile;
+ 	char cname[NI_MAXHOST], thishost[NI_MAXHOST];
+ 	struct stat st;
+@@ -1027,8 +1030,10 @@ main(int ac, char **av)
+ 			}
+ 			break;
+ 		case 'l':
+-			if (options.user == NULL)
+-				options.user = optarg;
++			if (options.user == NULL) {
++				options.user = xstrdup(optarg);
++				user_on_commandline = 1;
++			}
+ 			break;
+ 
+ 		case 'L':
+@@ -1131,6 +1136,7 @@ main(int ac, char **av)
+ 			if (options.user == NULL) {
+ 				options.user = tuser;
+ 				tuser = NULL;
++				user_on_commandline = 1;
+ 			}
+ 			free(tuser);
+ 			if (options.port == -1 && tport != -1)
+@@ -1145,6 +1151,7 @@ main(int ac, char **av)
+ 				if (options.user == NULL) {
+ 					options.user = p;
+ 					p = NULL;
++					user_on_commandline = 1;
+ 				}
+ 				*cp++ = '\0';
+ 				host = xstrdup(cp);
+@@ -1166,8 +1173,6 @@ main(int ac, char **av)
+ 
+ 	if (!valid_hostname(host))
+ 		fatal("hostname contains invalid characters");
+-	if (options.user != NULL && !valid_ruser(options.user))
+-		fatal("remote username contains invalid characters");
+ 	options.host_arg = xstrdup(host);
+ 
+ 	/* Initialize the command to execute on remote host. */
+@@ -1299,8 +1304,10 @@ main(int ac, char **av)
+ 	if (fill_default_options(&options) != 0)
+ 		cleanup_exit(255);
+ 
+-	if (options.user == NULL)
++	if (options.user == NULL) {
++		user_was_default = 1;
+ 		options.user = xstrdup(pw->pw_name);
++	}
+ 
+ 	/*
+ 	 * If ProxyJump option specified, then construct a ProxyCommand now.
+@@ -1441,11 +1448,23 @@ main(int ac, char **av)
+ 	    options.host_key_alias : options.host_arg);
+ 	cinfo->host_arg = xstrdup(options.host_arg);
+ 	cinfo->remhost = xstrdup(host);
+-	cinfo->remuser = xstrdup(options.user);
+ 	cinfo->homedir = xstrdup(pw->pw_dir);
+ 	cinfo->locuser = xstrdup(pw->pw_name);
+ 	cinfo->jmphost = xstrdup(options.jump_host == NULL ?
+ 	    "" : options.jump_host);
++
++	/*
++	 * Usernames specified on the commandline or expanded from the
++	 * configuration file must be validated.
++	 * Conversely, usernames from getpwnam(3) or specified as literals
++	 * via configuration (i.e. not expanded) are not subject to validation.
++	 */
++	if ((user_on_commandline) &&
++		!valid_ruser(options.user))
++		fatal("remote username contains invalid characters");
++
++	/* Now User is expanded, store it and calculate hash. */
++	cinfo->remuser = xstrdup(options.user);
+ 	cinfo->conn_hash_hex = ssh_connection_hash(cinfo->thishost,
+ 	    cinfo->remhost, cinfo->portstr, cinfo->remuser, cinfo->jmphost);
+ 
+-- 
+2.33.0
+
diff --git a/backport-fix-CVE-2025-61985.patch b/backport-fix-CVE-2025-61985.patch
new file mode 100644
index 0000000000000000000000000000000000000000..c8932c8d42380516dcac23ebdc475e951019a213
--- /dev/null
+++ b/backport-fix-CVE-2025-61985.patch
@@ -0,0 +1,42 @@
+From 43b3bff47bb029f2299bacb6a36057981b39fdb0 Mon Sep 17 00:00:00 2001
+From: "djm@openbsd.org" <djm@openbsd.org>
+Date: Thu, 4 Sep 2025 00:30:06 +0000
+Subject: upstream: don't allow \0 characters in url-encoded strings.
+
+Suggested by David Leadbeater, ok deraadt@
+
+OpenBSD-Commit-ID: c92196cef0f970ceabc1e8007a80b01e9b7cd49c
+Conflict:NA
+Reference:https://anongit.mindrot.org/openssh.git/patch/?id=43b3bff47bb029f2299bacb6a36057981b39fdb0
+---
+ misc.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/misc.c b/misc.c
+index ff43c3d..957c849 100644
+--- a/misc.c
++++ b/misc.c
+@@ -966,7 +966,7 @@ urldecode(const char *src)
+ 	size_t srclen;
+ 
+ 	if ((srclen = strlen(src)) >= SIZE_MAX)
+-		fatal_f("input too large");
++		return NULL;
+ 	ret = xmalloc(srclen + 1);
+ 	for (dst = ret; *src != '\0'; src++) {
+ 		switch (*src) {
+@@ -974,9 +974,10 @@ urldecode(const char *src)
+ 			*dst++ = ' ';
+ 			break;
+ 		case '%':
++			/* note: don't allow \0 characters */
+ 			if (!isxdigit((unsigned char)src[1]) ||
+ 			    !isxdigit((unsigned char)src[2]) ||
+-			    (ch = hexchar(src + 1)) == -1) {
++			    (ch = hexchar(src + 1)) == -1 || ch == 0) {
+ 				free(ret);
+ 				return NULL;
+ 			}
+-- 
+2.33.0
+
diff --git a/openssh.spec b/openssh.spec
index f68b45533479b336fe1263d1192ce0f08769172b..d712e1e44c272db5844aa0f0905afe65ac5b3c5a 100644
--- a/openssh.spec
+++ b/openssh.spec
@@ -6,7 +6,7 @@
 %{?no_gtk2:%global gtk2 0}
 
 %global sshd_uid    74
-%global openssh_release 8
+%global openssh_release 9
 
 Name:           openssh
 Version:        9.6p1
@@ -114,6 +114,8 @@ Patch73:        backport-fix-CVE-2024-39894.patch
 Patch74:        backport-fix-CVE-2025-26465.patch
 Patch75:        backport-fix-CVE-2025-26466.patch
 Patch76:        backport-fix-CVE-2025-32728.patch
+Patch77:        backport-fix-CVE-2025-61984.patch
+Patch78:        backport-fix-CVE-2025-61985.patch
 
 Requires:       /sbin/nologin
 Requires:       libselinux >= 2.3-5 audit-libs >= 1.0.8
@@ -314,6 +316,8 @@ popd
 %patch -P 74 -p1
 %patch -P 75 -p1
 %patch -P 76 -p1
+%patch -P 77 -p1
+%patch -P 78 -p1
 
 autoreconf
 pushd pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4
@@ -545,6 +549,12 @@ fi
 %attr(0644,root,root) %{_mandir}/man8/sftp-server.8*
 
 %changelog
+* Fri Oct 24 2025 zhangbinqin<zhangbinqin@h-partners.com> - 9.6p1-9
+- Type:CVE
+- CVE:CVE-2025-61984 CVE-2025-61985
+- SUG:NA
+- DESC:fix CVE-2025-61984 CVE-2025-61985
+
 * Mon Sep 15 2025 zhangbinqin<zhangbinqin@h-partners.com> - 9.6p1-8
 - Type:bugfix
 - CVE:NA