diff --git a/backport-fix-CVE-2025-61984.patch b/backport-fix-CVE-2025-61984.patch
new file mode 100644
index 0000000000000000000000000000000000000000..9a497ffee156e5dc9cd8dc69da447039a43036da
--- /dev/null
+++ b/backport-fix-CVE-2025-61984.patch
@@ -0,0 +1,124 @@
+From 35d5917652106aede47621bb3f64044604164043 Mon Sep 17 00:00:00 2001
+From: "djm@openbsd.org" <djm@openbsd.org>
+Date: Thu, 4 Sep 2025 00:29:09 +0000
+Subject: upstream: Improve rules for %-expansion of username.
+
+Usernames passed on the commandline will no longer be subject to
+% expansion. Some tools invoke ssh with connection information
+(i.e. usernames and host names) supplied from untrusted sources.
+These may contain % expansion sequences which could yield
+unexpected results.
+
+Since openssh-9.6, all usernames have been subject to validity
+checking. This change tightens the validity checks by refusing
+usernames that include control characters (again, these can cause
+surprises when supplied adversarially).
+
+This change also relaxes the validity checks in one small way:
+usernames supplied via the configuration file as literals (i.e.
+include no % expansion characters) are not subject to these
+validity checks. This allows usernames that contain arbitrary
+characters to be used, but only via configuration files. This
+is done on the basis that ssh's configuration is trusted.
+
+Pointed out by David Leadbeater, ok deraadt@
+
+OpenBSD-Commit-ID: e2f0c871fbe664aba30607321575e7c7fc798362
+Conflict:Without feature "Allow %-token and environment variable
+expansion in User"
+Reference:https://anongit.mindrot.org/openssh.git/patch/?id=35d5917652106aede47621bb3f64044604164043
+---
+ ssh.c | 27 ++++++++++++++++++++++-----
+ 1 file changed, 22 insertions(+), 5 deletions(-)
+
+diff --git a/ssh.c b/ssh.c
+index 4bf0a15..76e25c1 100644
+--- a/ssh.c
++++ b/ssh.c
+@@ -608,6 +608,8 @@ valid_ruser(const char *s)
+ 	if (*s == '-')
+ 		return 0;
+ 	for (i = 0; s[i] != 0; i++) {
++		if (iscntrl((u_char)s[i]))
++			return 0;
+ 		if (strchr("'`\";&<>|(){}", s[i]) != NULL)
+ 			return 0;
+ 		/* Disallow '-' after whitespace */
+@@ -629,6 +631,7 @@ main(int ac, char **av)
+ 	struct ssh *ssh = NULL;
+ 	int i, r, opt, exit_status, use_syslog, direct, timeout_ms;
+ 	int was_addr, config_test = 0, opt_terminated = 0, want_final_pass = 0;
++	int user_on_commandline = 0, user_was_default = 0;
+ 	char *p, *cp, *line, *argv0, buf[PATH_MAX], *logfile;
+ 	char cname[NI_MAXHOST];
+ 	struct stat st;
+@@ -997,8 +1000,10 @@ main(int ac, char **av)
+ 			}
+ 			break;
+ 		case 'l':
+-			if (options.user == NULL)
+-				options.user = optarg;
++			if (options.user == NULL) {
++				options.user = xstrdup(optarg);
++				user_on_commandline = 1;
++			}
+ 			break;
+ 
+ 		case 'L':
+@@ -1095,6 +1100,7 @@ main(int ac, char **av)
+ 			if (options.user == NULL) {
+ 				options.user = tuser;
+ 				tuser = NULL;
++				user_on_commandline = 1;
+ 			}
+ 			free(tuser);
+ 			if (options.port == -1 && tport != -1)
+@@ -1109,6 +1115,7 @@ main(int ac, char **av)
+ 				if (options.user == NULL) {
+ 					options.user = p;
+ 					p = NULL;
++					user_on_commandline = 1;
+ 				}
+ 				*cp++ = '\0';
+ 				host = xstrdup(cp);
+@@ -1130,8 +1137,6 @@ main(int ac, char **av)
+ 
+ 	if (!valid_hostname(host))
+ 		fatal("hostname contains invalid characters");
+-	if (options.user != NULL && !valid_ruser(options.user))
+-		fatal("remote username contains invalid characters");
+ 	host_arg = xstrdup(host);
+ 
+ 	/* Initialize the command to execute on remote host. */
+@@ -1374,8 +1379,10 @@ main(int ac, char **av)
+ 		tty_flag = 0;
+ 	}
+ 
+-	if (options.user == NULL)
++	if (options.user == NULL) {
++		user_was_default = 1;
+ 		options.user = xstrdup(pw->pw_name);
++	}
+ 
+ 	/* Set up strings used to percent_expand() arguments */
+ 	if (gethostname(thishost, sizeof(thishost)) == -1)
+@@ -1386,6 +1393,16 @@ main(int ac, char **av)
+ 	snprintf(uidstr, sizeof(uidstr), "%llu",
+ 	    (unsigned long long)pw->pw_uid);
+ 
++	/*
++	 * Usernames specified on the commandline or expanded from the
++	 * configuration file must be validated.
++	 * Conversely, usernames from getpwnam(3) or specified as literals
++	 * via configuration (i.e. not expanded) are not subject to validation.
++	 */
++	if ((user_on_commandline) &&
++			!valid_ruser(options.user))
++	        fatal("remote username contains invalid characters");
++
+ 	if ((md = ssh_digest_start(SSH_DIGEST_SHA1)) == NULL ||
+ 	    ssh_digest_update(md, thishost, strlen(thishost)) < 0 ||
+ 	    ssh_digest_update(md, host, strlen(host)) < 0 ||
+-- 
+2.33.0
+
diff --git a/backport-fix-CVE-2025-61985.patch b/backport-fix-CVE-2025-61985.patch
new file mode 100644
index 0000000000000000000000000000000000000000..5ed418d0cb94076d884db2e1eb722901419c5445
--- /dev/null
+++ b/backport-fix-CVE-2025-61985.patch
@@ -0,0 +1,44 @@
+From 43b3bff47bb029f2299bacb6a36057981b39fdb0 Mon Sep 17 00:00:00 2001
+From: "djm@openbsd.org" <djm@openbsd.org>
+Date: Thu, 4 Sep 2025 00:30:06 +0000
+Subject: upstream: don't allow \0 characters in url-encoded strings.
+
+Suggested by David Leadbeater, ok deraadt@
+
+OpenBSD-Commit-ID: c92196cef0f970ceabc1e8007a80b01e9b7cd49c
+Conflict:add check srclen
+Reference:https://anongit.mindrot.org/openssh.git/patch/?id=43b3bff47bb029f2299bacb6a36057981b39fdb0
+---
+ misc.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/misc.c b/misc.c
+index ecd4ca0..85258d1 100644
+--- a/misc.c
++++ b/misc.c
+@@ -825,6 +825,10 @@ urldecode(const char *src)
+ {
+ 	char *ret, *dst;
+ 	int ch;
++	size_t srclen;
++
++	if ((srclen = strlen(src)) >= SIZE_MAX)
++               return NULL;
+ 
+ 	ret = xmalloc(strlen(src) + 1);
+ 	for (dst = ret; *src != '\0'; src++) {
+@@ -833,9 +837,10 @@ urldecode(const char *src)
+ 			*dst++ = ' ';
+ 			break;
+ 		case '%':
++			/* note: don't allow \0 characters */
+ 			if (!isxdigit((unsigned char)src[1]) ||
+ 			    !isxdigit((unsigned char)src[2]) ||
+-			    (ch = hexchar(src + 1)) == -1) {
++			    (ch = hexchar(src + 1)) == -1 || ch == 0) {
+ 				free(ret);
+ 				return NULL;
+ 			}
+-- 
+2.33.0
+
diff --git a/openssh.spec b/openssh.spec
index c28b89dcbbefc1b477fec6285f47c6554337579e..0dd229e56105d63ef1f58c9eded3c79940cfabd1 100644
--- a/openssh.spec
+++ b/openssh.spec
@@ -6,7 +6,7 @@
 %{?no_gtk2:%global gtk2 0}
 
 %global sshd_uid    74
-%global openssh_release 32
+%global openssh_release 33
 
 Name:           openssh
 Version:        8.2p1
@@ -108,6 +108,8 @@ Patch74:        backport-CVE-2023-48795.patch
 Patch75:        fix-memory-leak-in-kex-exchange.patch
 Patch76:        backport-fix-CVE-2025-26465.patch
 Patch77:        backport-fix-CVE-2025-32728.patch
+Patch78:        backport-fix-CVE-2025-61984.patch
+Patch79:        backport-fix-CVE-2025-61985.patch
 
 Requires:       /sbin/nologin
 Requires:       libselinux >= 2.3-5 audit-libs >= 1.0.8
@@ -288,6 +290,8 @@ popd
 %patch75 -p1
 %patch76 -p1
 %patch77 -p1
+%patch78 -p1
+%patch79 -p1
 
 autoreconf
 pushd pam_ssh_agent_auth-0.10.3
@@ -497,6 +501,12 @@ getent passwd sshd >/dev/null || \
 %attr(0644,root,root) %{_mandir}/man8/sftp-server.8*
 
 %changelog
+* Fri Oct 24 2025 zhangbinqin<zhangbinqin@h-partners.com> - 8.2p1-33
+- Type:CVE
+- CVE:CVE-2025-61984 CVE-2025-61985
+- SUG:NA
+- DESC:fix CVE-2025-61984 CVE-2025-61985
+
 * Fri Aug 1 2025 zhangbinqin<zhangbinqin@h-partners.com> - 8.2p1-32
 - Type:bugfix
 - CVE:NA