similarity index 99%
rename from meta/recipes-connectivity/openssh/openssh/CVE-2026-35387.patch
rename to meta/recipes-connectivity/openssh/openssh/CVE-2026-35414-CVE-2026-35387.patch
@@ -14,7 +14,7 @@ Reported by Christos Papakonstantinou of Cantina and Spearbit.
OpenBSD-Commit-ID: c790e2687c35989ae34a00e709be935c55b16a86
-CVE: CVE-2026-35387
+CVE: CVE-2026-35414 CVE-2026-35387
Upstream-Status: Backport [https://github.com/openssh/openssh-portable/commit/fd1c7e131f331942d20f42f31e79912d570081fa]
Signed-off-by: Theo Gaige (Schneider Electric) <tgaige.opensource@witekio.com>
---
@@ -35,7 +35,7 @@ SRC_URI = "http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${PV}.tar
file://CVE-2025-61985.patch \
file://CVE-2025-61984_CVE-2026-35386.patch \
file://CVE-2026-35385.patch \
- file://CVE-2026-35387.patch \
+ file://CVE-2026-35414-CVE-2026-35387.patch \
file://CVE-2026-35388.patch \
"
SRC_URI[sha256sum] = "910211c07255a8c5ad654391b40ee59800710dd8119dd5362de09385aa7a777c"
The openssh commit fd1c7e131f331942d20f42f31e79912d570081fa fixes 2 CVEs: CVE-2026-35414 and CVE-2026-35387. CVE-2026-35414: | OpenSSH before 10.3 mishandles the authorized_keys principals option | in uncommon scenarios involving a principals list in conjunction | with a Certificate Authority that makes certain use of comma | characters. The match_principals_option() function is fixed. Before this fix: When matching an authorized_keys principals="" option against a list of principals in a certificate, an incorrect algorithm was used that could allow inappropriate matching in cases where a principal name in the certificate contains a comma character. Exploitation of the condition requires an authorized_keys principals="" option that lists more than one principal *and* a CA that will issue a certificate that encodes more than one of these principal names separated by a comma (typical CAs strongly constrain which principal names they will place in a certificate). This condition only applies to user- trusted CA keys in authorized_keys, the main certificate authentication path (TrustedUserCAKeys/AuthorizedPrincipalsFile) is not affected. CVE-2026-35387: | OpenSSH before 10.3 can use unintended ECDSA algorithms. Listing of | any ECDSA algorithm in PubkeyAcceptedAlgorithms or | HostbasedAcceptedAlgorithms is misinterpreted to mean all ECDSA | algorithms. The rest of the patch allows to correctly match ECDSA signature algorithms against algorithm allowlists. The full explanation can be found on debian repository: https://salsa.debian.org/ssh-team/openssh/-/commit/ae190b6440b7c599d759527965334eeb49cc75b3 Signed-off-by: Benjamin Robin (Schneider Electric) <benjamin.robin@bootlin.com> --- Changes in v2: - Update commit message to clarify why the patch is fixing 2 CVEs - Link to v1: https://patch.msgid.link/20260702-openssh-cve-2026-35414-v1-1-bb863c2c82f5@bootlin.com --- .../{CVE-2026-35387.patch => CVE-2026-35414-CVE-2026-35387.patch} | 2 +- meta/recipes-connectivity/openssh/openssh_9.6p1.bb | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) --- base-commit: 2814f0962f56c8d1afa4de76d2895ba9b5cb767d change-id: 20260702-openssh-cve-2026-35414-07494753183a Best regards, -- Benjamin Robin (Schneider Electric) <benjamin.robin@bootlin.com>