| Message ID | 20260702-openssh-cve-2026-35414-v1-1-bb863c2c82f5@bootlin.com |
|---|---|
| State | New |
| Headers | show |
| Series | [scarthgap] openssh: CVE-2026-35387 patch also fixes CVE-2026-35414 | expand |
On Thu Jul 2, 2026 at 3:15 PM CEST, Benjamin Robin via lists.openembedded.org wrote: > An explanation can be found on debian repository: > https://salsa.debian.org/ssh-team/openssh/-/commit/ae190b6440b7c599d759527965334eeb49cc75b3 That does not look obvious to me... Can you send a v2 with the explanation spelt out please? Thanks! > > Signed-off-by: Benjamin Robin (Schneider Electric) <benjamin.robin@bootlin.com> > --- > .../{CVE-2026-35387.patch => CVE-2026-35414-CVE-2026-35387.patch} | 2 +- > meta/recipes-connectivity/openssh/openssh_9.6p1.bb | 2 +- > 2 files changed, 2 insertions(+), 2 deletions(-) > > diff --git a/meta/recipes-connectivity/openssh/openssh/CVE-2026-35387.patch b/meta/recipes-connectivity/openssh/openssh/CVE-2026-35414-CVE-2026-35387.patch > similarity index 99% > rename from meta/recipes-connectivity/openssh/openssh/CVE-2026-35387.patch > rename to meta/recipes-connectivity/openssh/openssh/CVE-2026-35414-CVE-2026-35387.patch > index c4806bd9935c..4839d76fa808 100644 > --- a/meta/recipes-connectivity/openssh/openssh/CVE-2026-35387.patch > +++ b/meta/recipes-connectivity/openssh/openssh/CVE-2026-35414-CVE-2026-35387.patch > @@ -14,7 +14,7 @@ Reported by Christos Papakonstantinou of Cantina and Spearbit. > > OpenBSD-Commit-ID: c790e2687c35989ae34a00e709be935c55b16a86 > > -CVE: CVE-2026-35387 > +CVE: CVE-2026-35414 CVE-2026-35387 > Upstream-Status: Backport [https://github.com/openssh/openssh-portable/commit/fd1c7e131f331942d20f42f31e79912d570081fa] > Signed-off-by: Theo Gaige (Schneider Electric) <tgaige.opensource@witekio.com> > --- > diff --git a/meta/recipes-connectivity/openssh/openssh_9.6p1.bb b/meta/recipes-connectivity/openssh/openssh_9.6p1.bb > index ea158b56b419..4193bc8a5b41 100644 > --- a/meta/recipes-connectivity/openssh/openssh_9.6p1.bb > +++ b/meta/recipes-connectivity/openssh/openssh_9.6p1.bb > @@ -35,7 +35,7 @@ SRC_URI = "http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${PV}.tar > file://CVE-2025-61985.patch \ > file://CVE-2025-61984_CVE-2026-35386.patch \ > file://CVE-2026-35385.patch \ > - file://CVE-2026-35387.patch \ > + file://CVE-2026-35414-CVE-2026-35387.patch \ > file://CVE-2026-35388.patch \ > " > SRC_URI[sha256sum] = "910211c07255a8c5ad654391b40ee59800710dd8119dd5362de09385aa7a777c" > > --- > base-commit: 2814f0962f56c8d1afa4de76d2895ba9b5cb767d > change-id: 20260702-openssh-cve-2026-35414-07494753183a > > Best regards, > -- > Benjamin Robin (Schneider Electric) <benjamin.robin@bootlin.com>
diff --git a/meta/recipes-connectivity/openssh/openssh/CVE-2026-35387.patch b/meta/recipes-connectivity/openssh/openssh/CVE-2026-35414-CVE-2026-35387.patch similarity index 99% rename from meta/recipes-connectivity/openssh/openssh/CVE-2026-35387.patch rename to meta/recipes-connectivity/openssh/openssh/CVE-2026-35414-CVE-2026-35387.patch index c4806bd9935c..4839d76fa808 100644 --- a/meta/recipes-connectivity/openssh/openssh/CVE-2026-35387.patch +++ b/meta/recipes-connectivity/openssh/openssh/CVE-2026-35414-CVE-2026-35387.patch @@ -14,7 +14,7 @@ Reported by Christos Papakonstantinou of Cantina and Spearbit. OpenBSD-Commit-ID: c790e2687c35989ae34a00e709be935c55b16a86 -CVE: CVE-2026-35387 +CVE: CVE-2026-35414 CVE-2026-35387 Upstream-Status: Backport [https://github.com/openssh/openssh-portable/commit/fd1c7e131f331942d20f42f31e79912d570081fa] Signed-off-by: Theo Gaige (Schneider Electric) <tgaige.opensource@witekio.com> --- diff --git a/meta/recipes-connectivity/openssh/openssh_9.6p1.bb b/meta/recipes-connectivity/openssh/openssh_9.6p1.bb index ea158b56b419..4193bc8a5b41 100644 --- a/meta/recipes-connectivity/openssh/openssh_9.6p1.bb +++ b/meta/recipes-connectivity/openssh/openssh_9.6p1.bb @@ -35,7 +35,7 @@ SRC_URI = "http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${PV}.tar file://CVE-2025-61985.patch \ file://CVE-2025-61984_CVE-2026-35386.patch \ file://CVE-2026-35385.patch \ - file://CVE-2026-35387.patch \ + file://CVE-2026-35414-CVE-2026-35387.patch \ file://CVE-2026-35388.patch \ " SRC_URI[sha256sum] = "910211c07255a8c5ad654391b40ee59800710dd8119dd5362de09385aa7a777c"
An explanation can be found on debian repository: https://salsa.debian.org/ssh-team/openssh/-/commit/ae190b6440b7c599d759527965334eeb49cc75b3 Signed-off-by: Benjamin Robin (Schneider Electric) <benjamin.robin@bootlin.com> --- .../{CVE-2026-35387.patch => CVE-2026-35414-CVE-2026-35387.patch} | 2 +- meta/recipes-connectivity/openssh/openssh_9.6p1.bb | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) --- base-commit: 2814f0962f56c8d1afa4de76d2895ba9b5cb767d change-id: 20260702-openssh-cve-2026-35414-07494753183a Best regards, -- Benjamin Robin (Schneider Electric) <benjamin.robin@bootlin.com>