diff mbox series

[scarthgap] openssh: CVE-2026-35387 patch also fixes CVE-2026-35414

Message ID 20260702-openssh-cve-2026-35414-v1-1-bb863c2c82f5@bootlin.com
State New
Headers show
Series [scarthgap] openssh: CVE-2026-35387 patch also fixes CVE-2026-35414 | expand

Commit Message

Benjamin Robin (Schneider Electric) July 2, 2026, 1:15 p.m. UTC
An explanation can be found on debian repository:
https://salsa.debian.org/ssh-team/openssh/-/commit/ae190b6440b7c599d759527965334eeb49cc75b3

Signed-off-by: Benjamin Robin (Schneider Electric) <benjamin.robin@bootlin.com>
---
 .../{CVE-2026-35387.patch => CVE-2026-35414-CVE-2026-35387.patch}       | 2 +-
 meta/recipes-connectivity/openssh/openssh_9.6p1.bb                      | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)


---
base-commit: 2814f0962f56c8d1afa4de76d2895ba9b5cb767d
change-id: 20260702-openssh-cve-2026-35414-07494753183a

Best regards,
--  
Benjamin Robin (Schneider Electric) <benjamin.robin@bootlin.com>

Comments

Yoann Congal July 2, 2026, 1:23 p.m. UTC | #1
On Thu Jul 2, 2026 at 3:15 PM CEST, Benjamin Robin via lists.openembedded.org wrote:
> An explanation can be found on debian repository:
> https://salsa.debian.org/ssh-team/openssh/-/commit/ae190b6440b7c599d759527965334eeb49cc75b3

That does not look obvious to me... Can you send a v2 with the
explanation spelt out please?

Thanks!

>
> Signed-off-by: Benjamin Robin (Schneider Electric) <benjamin.robin@bootlin.com>
> ---
>  .../{CVE-2026-35387.patch => CVE-2026-35414-CVE-2026-35387.patch}       | 2 +-
>  meta/recipes-connectivity/openssh/openssh_9.6p1.bb                      | 2 +-
>  2 files changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/meta/recipes-connectivity/openssh/openssh/CVE-2026-35387.patch b/meta/recipes-connectivity/openssh/openssh/CVE-2026-35414-CVE-2026-35387.patch
> similarity index 99%
> rename from meta/recipes-connectivity/openssh/openssh/CVE-2026-35387.patch
> rename to meta/recipes-connectivity/openssh/openssh/CVE-2026-35414-CVE-2026-35387.patch
> index c4806bd9935c..4839d76fa808 100644
> --- a/meta/recipes-connectivity/openssh/openssh/CVE-2026-35387.patch
> +++ b/meta/recipes-connectivity/openssh/openssh/CVE-2026-35414-CVE-2026-35387.patch
> @@ -14,7 +14,7 @@ Reported by Christos Papakonstantinou of Cantina and Spearbit.
>  
>  OpenBSD-Commit-ID: c790e2687c35989ae34a00e709be935c55b16a86
>  
> -CVE: CVE-2026-35387
> +CVE: CVE-2026-35414 CVE-2026-35387
>  Upstream-Status: Backport [https://github.com/openssh/openssh-portable/commit/fd1c7e131f331942d20f42f31e79912d570081fa]
>  Signed-off-by: Theo Gaige (Schneider Electric) <tgaige.opensource@witekio.com>
>  ---
> diff --git a/meta/recipes-connectivity/openssh/openssh_9.6p1.bb b/meta/recipes-connectivity/openssh/openssh_9.6p1.bb
> index ea158b56b419..4193bc8a5b41 100644
> --- a/meta/recipes-connectivity/openssh/openssh_9.6p1.bb
> +++ b/meta/recipes-connectivity/openssh/openssh_9.6p1.bb
> @@ -35,7 +35,7 @@ SRC_URI = "http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${PV}.tar
>             file://CVE-2025-61985.patch \
>             file://CVE-2025-61984_CVE-2026-35386.patch \
>             file://CVE-2026-35385.patch \
> -           file://CVE-2026-35387.patch \
> +           file://CVE-2026-35414-CVE-2026-35387.patch \
>             file://CVE-2026-35388.patch \
>             "
>  SRC_URI[sha256sum] = "910211c07255a8c5ad654391b40ee59800710dd8119dd5362de09385aa7a777c"
>
> ---
> base-commit: 2814f0962f56c8d1afa4de76d2895ba9b5cb767d
> change-id: 20260702-openssh-cve-2026-35414-07494753183a
>
> Best regards,
> --  
> Benjamin Robin (Schneider Electric) <benjamin.robin@bootlin.com>
diff mbox series

Patch

diff --git a/meta/recipes-connectivity/openssh/openssh/CVE-2026-35387.patch b/meta/recipes-connectivity/openssh/openssh/CVE-2026-35414-CVE-2026-35387.patch
similarity index 99%
rename from meta/recipes-connectivity/openssh/openssh/CVE-2026-35387.patch
rename to meta/recipes-connectivity/openssh/openssh/CVE-2026-35414-CVE-2026-35387.patch
index c4806bd9935c..4839d76fa808 100644
--- a/meta/recipes-connectivity/openssh/openssh/CVE-2026-35387.patch
+++ b/meta/recipes-connectivity/openssh/openssh/CVE-2026-35414-CVE-2026-35387.patch
@@ -14,7 +14,7 @@  Reported by Christos Papakonstantinou of Cantina and Spearbit.
 
 OpenBSD-Commit-ID: c790e2687c35989ae34a00e709be935c55b16a86
 
-CVE: CVE-2026-35387
+CVE: CVE-2026-35414 CVE-2026-35387
 Upstream-Status: Backport [https://github.com/openssh/openssh-portable/commit/fd1c7e131f331942d20f42f31e79912d570081fa]
 Signed-off-by: Theo Gaige (Schneider Electric) <tgaige.opensource@witekio.com>
 ---
diff --git a/meta/recipes-connectivity/openssh/openssh_9.6p1.bb b/meta/recipes-connectivity/openssh/openssh_9.6p1.bb
index ea158b56b419..4193bc8a5b41 100644
--- a/meta/recipes-connectivity/openssh/openssh_9.6p1.bb
+++ b/meta/recipes-connectivity/openssh/openssh_9.6p1.bb
@@ -35,7 +35,7 @@  SRC_URI = "http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${PV}.tar
            file://CVE-2025-61985.patch \
            file://CVE-2025-61984_CVE-2026-35386.patch \
            file://CVE-2026-35385.patch \
-           file://CVE-2026-35387.patch \
+           file://CVE-2026-35414-CVE-2026-35387.patch \
            file://CVE-2026-35388.patch \
            "
 SRC_URI[sha256sum] = "910211c07255a8c5ad654391b40ee59800710dd8119dd5362de09385aa7a777c"