From patchwork Wed May 20 08:29:30 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: tgaige.opensource@witekio.com X-Patchwork-Id: 88517 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id C9E17CD5BA4 for ; Wed, 20 May 2026 08:30:03 +0000 (UTC) Received: from mx-relay83-hz1-if1.hornetsecurity.com (mx-relay83-hz1-if1.hornetsecurity.com [94.100.128.93]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.7473.1779265795389911073 for ; Wed, 20 May 2026 01:29:56 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@witekio.com header.s=selector1 header.b=WD2I7Z5v; spf=permerror, err=parse error for token &{10 18 spf.hornetsecurity.com}: limit exceeded (domain: witekio.com, ip: 94.100.128.93, mailfrom: tgaige@witekio.com) ARC-Authentication-Results: i=2; mx-gate83-hz1.hornetsecurity.com 1; spf=pass reason=mailfrom (ip=40.107.162.98, headerfrom=witekio.com) smtp.mailfrom=witekio.com smtp.helo=pa4pr04cu001.outbound.protection.outlook.com; dkim=pass header.d=witekio.com header.s=selector1 header.a=rsa-sha256; dmarc=pass header.from=witekio.com orig.disposition=pass ARC-Message-Signature: a=rsa-sha256; bh=7Iyh6NUmlDa4Kc33wPympaRJfPKni8L1/xADnOnVlmg=; c=relaxed/relaxed; d=hornetsecurity.com; h=from:to:date:subject:mime-version:; i=2; s=hse1; t=1779265793; b=og5M4XzET9qz0MjwZJw5+Bz+DaK5LUyWsdo03xfyEJDGReseVjOUsXr62f1j5C4ruqL0P7ct cbqN4rcWxv3/ZR05u5H1hbCuO6Qe0tPUyQlrpelSH7LFUREGF4IynYHGNJUAVwB4CDiw/l0DP+c da1eTxbjoxKfP14z5CNP8kuI2OuPwZnBQiqZdXwst8I5v0LPvEVp69D2OFX90KY0lQTMSznR/sI qqzXHvRm1DgOf3WsiOd3Qkp0KGNYA4z+zZiXOoLbkjK24qslJLdNFuDYGHdrAtqAWQeHfe6nEvL lwna6ioRXTStdkO3YD9nTEevMNtajmab02XCRyhW2dlTQ== ARC-Seal: a=rsa-sha256; cv=pass; d=hornetsecurity.com; i=2; s=hse1; t=1779265793; b=RUZOtezqz/CkYZDtsiXCFs+Vrv/RANHbPC3ozTxVKaE/cDnJ+uDo+LCdoMbC/2OdqJ1q1SO/ 9Ro2vFzF4rYIuev88/7FaZG8ps3msd5DNTDCUwg/TefpZX7nXcqf3QLsjrQMam4Bd7qwtLLnQ82 YfbUkPWGtH2DYbOcegrKpYUORQ/k36Id/YTdhEDURrhxklxWkSJaoq2JugP4wV9QG0+ZDNGuKtn /YBMWDUN9WoSHvky2kf8R8HhdYebKkbAG71Xyj9kJ2o3UKC/CeHPAmLAWa7uGt0XP9xZRUU35uL qicO4gxz0U+X2PC1q5BqSm4LV9i3XXuh2vxRQvOtr0y2w== Received: from mail-francecentralazon11023098.outbound.protection.outlook.com ([40.107.162.98]) by mx-gate83-hz1; Wed, 20 May 2026 10:29:53 +0200 ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=NrGuF78KTHYd6MIF/ScVe4GOeBC5JzKRIvklBU/XaKhDmpJsEa5q5D+zy9OTIbeSjKZXKzrkQr0YXS6W07rIvcfNrkKJk13rk+jKU3SIOvZEe6Xt958ZDo0mnUmu7rYxDcb2pTAg2M/29nMr4OLz1v2syHb/LVKSbdKWoXDDuytcr1ruQs9wnhtMlnDDwT7AljXbYrsDaao322vGPZMoMTMvYESIRFr55aX6MqYLS04tP0r2r8erGII7QwKrenDZNE3wcjqiUTsOQ/qSCRk80LpmHjWRL/9ebgwEQDqNDgTTnLX7bqrCviKKNA33qFoYH1r7msl212SnnhnSR9ODRw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=7Iyh6NUmlDa4Kc33wPympaRJfPKni8L1/xADnOnVlmg=; b=gAdh3bDwCqMoOGk4+SJij+4w+FTJFI8/CGtn5Y7oCkoltiy2OiF1i9YlD6IcpZp/+MuS2plsABt9zIeZkcZezrvGr4VWjMqao9ePEHMTQA38E1htBrCvP1xwKhyYDR/Dbdn0wXI4Rp4IgkA+4282M5M4esPwllDIAJ+3IYbogDsDnRKnYKPJOJENuJlfph6v+iGtg69iRH77NNBy9bwbiFqKsUUJPQTHa3ohp4We6R/S84Jc3jFsnYcVfaApfwJun216gyHWqaDVSEwz32PO1uJHHVVZZiTWHFYtOXTr16qONppQnzqeQF91A71dFgQqzE0A6z9W8L9TJ2kbZ2Sd6g== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=witekio.com; dmarc=pass action=none header.from=witekio.com; dkim=pass header.d=witekio.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=witekio.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=7Iyh6NUmlDa4Kc33wPympaRJfPKni8L1/xADnOnVlmg=; b=WD2I7Z5vVkqavSyD56A1ySQ+q/c1U2VIF6hY6SNqe2XT3GB2ZxwA8V/qNuBwYp57I8k2VIb07sS9e1xQDy9jAFSOFb8EBYHz6Iqg/RH9R1QlH13wArDP/qX7zQhmFm1sS1SL0ArWDZH1R3TKxQGVt0/PFRNXRLpoxoDP5Zv37++GzU9X/sMtxwlmkdk0hXanv4EkXQH7+t5DLsI5XAMF4euVkqp2skj3UunWVxv/6SQP9vQg7XzPILyMAc5iB9lrLZK6WctS/3XkXHvRfM3/SmpbyePDLk9LV2X7vMnFUIitnZo7Uatm+p7sir0ZrFMf3CM+JIhX8KAK3ajIg4mtgQ== Authentication-Results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=witekio.com; Received: from AM9P192MB1396.EURP192.PROD.OUTLOOK.COM (2603:10a6:20b:3ad::23) by PA1P192MB3056.EURP192.PROD.OUTLOOK.COM (2603:10a6:102:4e0::13) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.21.48.14; Wed, 20 May 2026 08:29:47 +0000 Received: from AM9P192MB1396.EURP192.PROD.OUTLOOK.COM ([fe80::25ed:86ef:4d24:3d38]) by AM9P192MB1396.EURP192.PROD.OUTLOOK.COM ([fe80::25ed:86ef:4d24:3d38%5]) with mapi id 15.21.0025.023; Wed, 20 May 2026 08:29:47 +0000 From: tgaige.opensource@witekio.com To: openembedded-core@lists.openembedded.org Cc: hsimeliere.opensource@witekio.com, "Theo Gaige (Schneider Electric)" , Bruno Vernay Subject: [scarthgap][PATCH 1/3] openssh: patch CVE-2026-35385 Date: Wed, 20 May 2026 10:29:30 +0200 Message-ID: <20260520082932.1979208-1-tgaige.opensource@witekio.com> X-Mailer: git-send-email 2.43.0 X-ClientProxiedBy: ZR2P278CA0005.CHEP278.PROD.OUTLOOK.COM (2603:10a6:910:50::10) To AM9P192MB1396.EURP192.PROD.OUTLOOK.COM (2603:10a6:20b:3ad::23) MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: AM9P192MB1396:EE_|PA1P192MB3056:EE_ X-MS-Office365-Filtering-Correlation-Id: 7d9f3f0e-e84f-41f9-c365-08deb649f38c X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0;ARA:13230040|1800799024|52116014|376014|366016|18002099003|13003099007|12006099003|56012099003|38350700014; X-Microsoft-Antispam-Message-Info: ZMq6leKc/2bkm2GnrntgbtFB6NqaqRhjUxwVDVdIFB8okiH023T4rsiwOcp0liWseTxMSu8BbJ8hsgBWVyObJ9YaZN7ZpD2IfIWCZ/dymPekW2GVIOsq4R8hEW+yQCOaRM3gwXte1WQMEG5CTI2S644/uMhR6WsgTWEERDrB9BV2UJBn+zHw4Oo8SIIgbAVDUcrU80cscn8OQF6ogXtDFkZPuB9dweV9+uwx5/XLs8oXDy17yGPopXJZAz5okchBvACzi6V+8pY3vUkdHhC9uBsm1FNn5NMfEWTHZcci6OF4mO9YLcZOrsgI/xveXGiqKCrA8u6+DCxu36c+/FaE9TewgnCchWqr7hDy67JvP1J88QYsNmwCErd0HxkRs2auZRr8qCczZhc40GrYywGQmISBkjIg+imdzPZq5gVKZHJUjAEfSw0DpBdVbA59nbFOxgObAAUpcbaZGkJ01YSsEKf+zp8YJaqitU09kIgY5jTnRG1a88r5bOVqPgPv2lPe7eQp8kqIc7ejifL3hCZjNe+zepcr83PPkv6GJSQsj9iR3MMU7Vg2oOXVtrPDQVImGqPqqAWlSEy9qcNY5GVSTPM3AM0nC+abG2NxEkulOisVz4vyk35xBpguGMD/sj3GmjUpc5CBWG7K2Ehfqo5nzAdDe9jg5uRnWOUUvQ/Uz/c4NEnVfJBLBr3HGDZVJgBDkNKmDHOT0x040Wc9FhDGww== X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:AM9P192MB1396.EURP192.PROD.OUTLOOK.COM;PTR:;CAT:NONE;SFS:(13230040)(1800799024)(52116014)(376014)(366016)(18002099003)(13003099007)(12006099003)(56012099003)(38350700014);DIR:OUT;SFP:1102; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: Rm/k29IMOXkDvHasDz2/LjVGSxlxOpSVFLyF4MExdMVI9PAnqeYzzCTVFxLiQG5HpMRXE1euWz2zISgjBRJERlg4u4T3F5npRnGc5DU5v3jq+RpsAhGmR3uLXzLK6mcieeAx9A+s6qT5QnjzxrlYs50QQxtyarpr8k/Nu6xBDbQtl79IOkgCs6YburzlAvEtxx0RgOHmAcnoFwgK0XcMwGPbJ0VzW+NjNZg0TAuKmT2Dpx5gj7d4mwqp0IEeCyWyaI/dva9TPaZp3PKUjDNaTuW4zw8S7PlpMrLDLExp2+RaRN1mOIpY/dlQ5scEUJH8LB3jh9Z3CQ1d8Ezl8YccnMPmNfxw05RuCY3EClmYCNxWxBfMb56aqO6qxfiApEth87xBNuc6cScEkn0pTPAZUOq2AlayV1kTy6SRwo55dlysk0/batstSR6HK+YrpwjbFLxkJ3uEpwQT92L/M+lR5LWhpL+p9ADuYWmsjrVkTZahoAxRwbn8AkxTC3FA3cvgEdZnFN+NL+AJrcfvIrJ4RYw6vIfm7aHg/wUghCJ0ZWjX/KL8Lkvj95oKCG6F35GGEC066JkSgJh0AY17ENzvNhjWOq02infuiEHbUgDAhRUXDgKLjtoIVH5esVBQP19ynuBEBTw125bkInbpNCR/UOqHiHlC47IekBTmt44l8W0wkTXy9zfIXowhTZ0t94B4L40p+41r6kzbHUfOUpNIXqDYluROBogAqJh5xhN0vrUyrQeMUV4nMT1c9ztIExTTVl/OJ7ns4icA3KbdZ2fCDim+N3UleRkmX2zXoyqeE0hOHvEMBAdF8n/AMNoLwtlL0NgVdl5SB+TM5zxTHABPg2AXvfnhLvzuQULYit1WGnGTHRsux+ENW7bLYvDLIfrns7fA5H9V3vrQwrPFY1RXJYhniB0bytDzaOnvQJdjozjUvHeNs6D8gOaCxd02e+v5YFPIKV6kotVGyiNhdCyTmR9R0bHsvQ2h2neoeOFqUfMKBBuo7pqlPD9GOTQZEBLApSSaY2wjDxFcMhJQ57v4INF4ncTa66ewKiSSIPTF+1ucTnkEYDdr1I5hqRAQdqD8Ul8D7zbpYqJjjuMoYN9tTy1KSR7GiLu1ZIYuc/OrPtpEF/LqRM8q7SyiiBBVqeh2Z4NXHNakQ3LEELE9zl4O3Yk8QQZXpaz6SzPvYtzPSI3Ko0LCedxOw29I4vTBGiY+5lrLdgO/7nlOa+bql8yB8bYRTwlMQ9CCzTXiA5I0rJj40zQeQkMCECXGGpx3sfdwxAnG6y9wtOMM00t01chb/XzzZdNcCGhwDqgvuvaIj/Cyc0uon2QXn2VD1Qy6N7/UbfbcFbfg862bmGys/Gk8VfFks4dfJqr2g8DPt/wdX5rW5VjbdIcSA8AjPpAIUfEGrtTn8V5TYaB3zfERTnMO63+IpryVYedBMgWkMM/RfLzCwfUELYnoNAO7qAa+TGsVsRYmBOEhlHiX7UtUlXEZmKoNuAi2NgCnyZ2HxO80hnEcbC1Tv/x8FzSWcQQDo7+x392zm3IjAmsiuSGwhbpa+z4VU1OgZFIzYUC+RAjx50aqBS6/HT1SGDQHb95D+lKk7uSXKDGDtrLW/GHle9yhBQEvCvDEmm0dD6Iuw1hC6+WcS0B6sDzqvQLg0gUgfzy4OypYI+L5xJge75lHkszrKwsn7sZzU3jiDUfiaXVDbasN/igYiVF7v86K8tEVeZEndx7erDAg1XE2Qa030OoPAg== X-Exchange-RoutingPolicyChecked: Mp2tcTwyISdTj/E3FhrZyBjxhue39sIs2dpxZOhMGpyTOT6pmNPfXASvbDQYNhI2Jfpw0WLvEa5zohlbhZgw0YMauL8ZkeS3dWbEUF2il9c36xBXNDNmioy4uhFGujew2/+jh/d7o7i+hmg6wrJUmek46aQqWkrgYnQPajblR6Tcx22SJIwzj2B9q2cFC3YPf0XaDnshOZj6sqlylRQWPosZNrQebxiVnd295ycdYuWGP5Ef9bVNSw62ihgPZTsyR+qr7n18x456mWi/fEcb12jEV3wS/On8knggCSEoQ0d25GsmqRx1jeH3VLDvwcWfWe/UNVK8slIinlp5nQgISQ== X-MS-Exchange-AntiSpam-ExternalHop-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-ExternalHop-MessageData-0: GI0FcQp3Dl+dxHPpzXlRwMYiVslXLefT4xC344DkG2whzYzWWPCfg85YTEVmfhuKkyW/ecZlzbaXFzqlissWZvZITVW7y56xQwl+DYSM321CJgMX8PlcGTNBQSoX4sCn6Vd7H0lcy4BmLL0eDcwFg+DpbM6XH+0VJBftRBSjYLc+y2wjksdkMFBfVDq72XWFrBveB/uyq26RmuhGE3AFTlUddD1KCcLemmB46cAmCq6PzEb/yIzpdgpbNCL39c+j6MsyZUEacAq6GEEX3ArUH5DZKuEWv37Ypgfyd8Pvqq2X5uH+PTG0IhSyx7mCY02rP0s1VkPHkur9bL9m56J2Zc3NH7gyM5djelBRqc8BUczTa1cyWtxmdM7UH6HjvAL4/EDxFxRXWmTYV+DHTi0cf3//Do9WdNnALtiri/plOIB9bOh29mUtpaaYH41bMuLwCBWPFWE8rTFspbfeTP6X/0WVoLIFjgoOlDqLtihJJVBm5tl6igusP7RVHS5X3Wggz8ELAZxDn7CTu0mG7YHgXcyFinQX4Tj5yn+MToIUpFc+mn83eSATJKrccQQG0zCz+oDUevM77XKceO2vYcigpGmFHA2xaLa0kpIXCLgn+4MKWeh3R54EnyDHXrbkGYMR X-OriginatorOrg: witekio.com X-MS-Exchange-CrossTenant-Network-Message-Id: 7d9f3f0e-e84f-41f9-c365-08deb649f38c X-MS-Exchange-CrossTenant-AuthSource: AM9P192MB1396.EURP192.PROD.OUTLOOK.COM X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 20 May 2026 08:29:46.9388 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 317e086a-301a-49af-9ea4-48a1c458b903 X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: Makv4ysqu281HIBwtGAPEfyizNAI9D39q9okFM/47bqxOBjYciOOkOnF26ZMJM2p1Os0pDlVpnjXd+kQdbhDug== X-MS-Exchange-Transport-CrossTenantHeadersStamped: PA1P192MB3056 X-cloud-security-sender: tgaige@witekio.com X-cloud-security-recipient: openembedded-core@lists.openembedded.org X-cloud-security-crypt: load encryption module X-cloud-security-Mailarchiv: E-Mail archived for: tgaige.opensource@witekio.com X-cloud-security-Mailarchivtype: outbound X-cloud-security-Virusscan: CLEAN X-cloud-security-disclaimer: This E-Mail was scanned by E-Mailservice on mx-gate83-hz1 with 4gL4Tn0lhXz2Mbrv X-cloud-security-connect: mail-francecentralazon11023098.outbound.protection.outlook.com[40.107.162.98], TLS=1, IP=40.107.162.98 X-cloud-security-Digest: b87820c39caffaa294721316390b4d75 X-cloud-security: scantime:1.175 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 20 May 2026 08:30:03 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/237428 From: "Theo Gaige (Schneider Electric)" Backport patch from [1] matching CVE description in [2] and change described in release note [3]. [1] https://github.com/openssh/openssh-portable/commit/487e8ac146f7d6616f65c125d5edb210519b833a [2] https://security-tracker.debian.org/tracker/CVE-2026-35385 [3] https://www.openssh.org/releasenotes.html#10.3p1 Signed-off-by: Theo Gaige (Schneider Electric) Reviewed-by: Bruno Vernay --- .../openssh/openssh/CVE-2026-35385.patch | 47 +++++++++++++++++++ .../openssh/openssh_9.6p1.bb | 1 + 2 files changed, 48 insertions(+) create mode 100644 meta/recipes-connectivity/openssh/openssh/CVE-2026-35385.patch diff --git a/meta/recipes-connectivity/openssh/openssh/CVE-2026-35385.patch b/meta/recipes-connectivity/openssh/openssh/CVE-2026-35385.patch new file mode 100644 index 0000000000..4fc19a6062 --- /dev/null +++ b/meta/recipes-connectivity/openssh/openssh/CVE-2026-35385.patch @@ -0,0 +1,47 @@ +From 9df287221ad61f6b05b3e80bc57bdaacfa5ab243 Mon Sep 17 00:00:00 2001 +From: "djm@openbsd.org" +Date: Thu, 2 Apr 2026 07:42:16 +0000 +Subject: [PATCH] upstream: when downloading files as root in legacy (-O) mode + and + +without the -p (preserve modes) flag set, clear setuid/setgid bits from +downloaded files as one might expect. + +AFAIK this bug dates back to the original Berkeley rcp program. + +Reported by Christos Papakonstantinou of Cantina and Spearbit. + +OpenBSD-Commit-ID: 49e902fca8dd933a92a9b547ab31f63e86729fa1 + +CVE: CVE-2026-35385 +Upstream-Status: Backport [https://github.com/openssh/openssh-portable/commit/487e8ac146f7d6616f65c125d5edb210519b833a] +Signed-off-by: Theo Gaige (Schneider Electric) +--- + scp.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/scp.c b/scp.c +index 492dace12..2c21fa19a 100644 +--- a/scp.c ++++ b/scp.c +@@ -1,4 +1,4 @@ +-/* $OpenBSD: scp.c,v 1.260 2023/10/11 05:42:08 djm Exp $ */ ++/* $OpenBSD: scp.c,v 1.273 2026/04/02 07:42:16 djm Exp $ */ + /* + * scp - secure remote copy. This is basically patched BSD rcp which + * uses ssh to do the data transfer (instead of using rcmd). +@@ -1682,8 +1682,10 @@ sink(int argc, char **argv, const char *src) + + setimes = targisdir = 0; + mask = umask(0); +- if (!pflag) ++ if (!pflag) { ++ mask |= 07000; + (void) umask(mask); ++ } + if (argc != 1) { + run_err("ambiguous target"); + exit(1); +-- +2.43.0 + diff --git a/meta/recipes-connectivity/openssh/openssh_9.6p1.bb b/meta/recipes-connectivity/openssh/openssh_9.6p1.bb index 1cdd888ccb..3a9010a7a4 100644 --- a/meta/recipes-connectivity/openssh/openssh_9.6p1.bb +++ b/meta/recipes-connectivity/openssh/openssh_9.6p1.bb @@ -34,6 +34,7 @@ SRC_URI = "http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${PV}.tar file://CVE-2025-32728.patch \ file://CVE-2025-61985.patch \ file://CVE-2025-61984.patch \ + file://CVE-2026-35385.patch \ " SRC_URI[sha256sum] = "910211c07255a8c5ad654391b40ee59800710dd8119dd5362de09385aa7a777c" From patchwork Wed May 20 08:29:31 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: tgaige.opensource@witekio.com X-Patchwork-Id: 88518 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id B9E7ACD4F3C for ; Wed, 20 May 2026 08:30:03 +0000 (UTC) Received: from mx-relay83-hz1-if1.hornetsecurity.com (mx-relay83-hz1-if1.hornetsecurity.com [94.100.128.93]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.7382.1779265799051874094 for ; Wed, 20 May 2026 01:29:59 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@witekio.com header.s=selector1 header.b=ODirUnrO; spf=permerror, err=parse error for token &{10 18 spf.hornetsecurity.com}: limit exceeded (domain: witekio.com, ip: 94.100.128.93, mailfrom: tgaige@witekio.com) ARC-Authentication-Results: i=2; mx-gate83-hz1.hornetsecurity.com 1; spf=pass reason=mailfrom (ip=40.107.162.98, headerfrom=witekio.com) smtp.mailfrom=witekio.com smtp.helo=pa4pr04cu001.outbound.protection.outlook.com; dkim=pass header.d=witekio.com header.s=selector1 header.a=rsa-sha256; dmarc=pass header.from=witekio.com orig.disposition=pass ARC-Message-Signature: a=rsa-sha256; bh=qNRVuheOTjDy8CS4KixAT8nvd/nZyqYsCxLV+jWeuh4=; c=relaxed/relaxed; d=hornetsecurity.com; h=from:to:date:subject:mime-version:; i=2; s=hse1; t=1779265797; b=M271oGiBb+89gC6WafxIsTzUgCA2lnUAbzyV7KdzgOZ94BKfQQ9pR5TZHd4HqGYabnaXOnN+ sCURUF/9PMEMwcpIat1xfwALEZMNVpJ0jduwZrYtFKY8lT2TzcLhTPDsn256ypTWd5bDk2oFcTs juKXDBCuIbSWtzlWTukJcCybDnWJLnUOWZ/+zoPcWuxCcp20llbyYbPNU22rR+AQmHGyWW2znCB WtmhTgO9RoYufcgs1/UtyzxLgo1mbgv3ZkLWs6djlWo5P+axDZit9TE7jtRHDrWdAps/LenzYS7 K7fZt/6m3bp2zwkOdRU9BA1DGp9jBF7ZRSdf4ZPLUVoig== ARC-Seal: a=rsa-sha256; cv=pass; d=hornetsecurity.com; i=2; s=hse1; t=1779265797; b=aqakQk1TOJ0d2ceFCoClMLbXhxtQi1/QlH4ZAErKoVeh71Slrqz07Pwzg5eM3i3CTrD0J1E1 2WAyTCOhOq6uCtGBtMB9l2D44qgAEY1fScXhBkVmauuG7XW4Li3Hkhl11cKtfpP4D61cmJTGCkZ BuvffOMQcZHdbwYQltsvBmENcl9i8qcMO4qHR+6FtO3UQOXPTDf/JNWLdL98jppwbnk3Vu+v6dn kQjADHIcodh+evHuKXcixtKQM6XzKGXVnjkMqiQFhjjErmdeq4UlyBbN6qMJ1B6pWg8MB+7+Uk8 C9zTdv+c9NS+suYgpZEq1b9vENdDj5uomBTrZDxiFpB/A== Received: from mail-francecentralazon11023098.outbound.protection.outlook.com ([40.107.162.98]) by mx-gate83-hz1; Wed, 20 May 2026 10:29:57 +0200 ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=I4ZgdjVwuOssIE0HjSSbz8/SI4D9Wi2xxPQHpqKIWYOdhxhB1OQwtZ5ieE6FwY77vvv3PpmRX7wcc1rx9JQ7tFP534tXE+PAOdb88pdqWq1hXNZCHuGNU/AU7kkehPoWIizsrZdNvFrXDYRmxecup2kb0LTnVNBYdEBDvscEyA/qt3YPkZWb5P7v4b37cIpvr4nHdKRHGv+ocbB1ozTcNHe5Ob767fXYgmVc+T3It7Lq6HBLjuJlPZNmo+/Qj0xTlifqu02sg873KkN1AnIfP7KpdqT2h1fWeMKT9hxepQBY+jdvpTrNa+ELIzmROLxRrO2bu2WkOzM/mJABSDRvcg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=qNRVuheOTjDy8CS4KixAT8nvd/nZyqYsCxLV+jWeuh4=; b=eHPgzy2WgoBTPobr8Nit7LFbQlRY7L/plmeKTrWqPJ2LZBsf72m2q0799+Y6Bw5R4naBH+RuS+ofiMBcNP66Db4nWh/tSzvumS+jWiGZAxcN8GzIUMd5KSw27s6yskV7Qh8/2BiuFGsokddplouL/v8pQl17PWN6GxPTRhThEANuGO5pl43mjVDAeHGUbKIJg57rj1/M+fsrU7YxO+SuQkwsqHQFF74v1i0R50XeBMYntwOdsPLa7P4lNYobjWS8henTcEJ2nDqTnK+CoY9UUwaar+77bwzNHbs5o6U5gBtG/eV/HrkX54CqeXmhvt3xGeCNP3L8jUaKlhmC4TZYVQ== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=witekio.com; dmarc=pass action=none header.from=witekio.com; dkim=pass header.d=witekio.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=witekio.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=qNRVuheOTjDy8CS4KixAT8nvd/nZyqYsCxLV+jWeuh4=; b=ODirUnrOHTujpdVUgbfqkYXjA+bYf4iaCE7rdIPBFcxhmhjZRnQWvFD9h1A+R/kXBrK8dai/XJlpYiQUIUP8Pt83ikTa/wiI2M7Y1u80VpRjD/CAnORzD7lpmIk9dNONs8oIww2RFFYmwFhZi06xL8kHymqifZ9HeeKH0pTa4h813eIDMP6X/7RO1XZYf3xlR9XTEtId2aDq54II9uxuPIw+p2XT+AXHGdm+bxgFtwOpfKMCxAj2yMXgQbWPgROeMB+JYTtnC5lPUJGP3VYuiHqKsg7lAgiFUJEk6/fzVtetIi/lhfLYdy+k67Tg7b7ZqxSi4MIC4JFHSS6QnkyasQ== Authentication-Results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=witekio.com; Received: from AM9P192MB1396.EURP192.PROD.OUTLOOK.COM (2603:10a6:20b:3ad::23) by PA1P192MB3056.EURP192.PROD.OUTLOOK.COM (2603:10a6:102:4e0::13) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.21.48.14; Wed, 20 May 2026 08:29:52 +0000 Received: from AM9P192MB1396.EURP192.PROD.OUTLOOK.COM ([fe80::25ed:86ef:4d24:3d38]) by AM9P192MB1396.EURP192.PROD.OUTLOOK.COM ([fe80::25ed:86ef:4d24:3d38%5]) with mapi id 15.21.0025.023; Wed, 20 May 2026 08:29:51 +0000 From: tgaige.opensource@witekio.com To: openembedded-core@lists.openembedded.org Cc: hsimeliere.opensource@witekio.com, "Theo Gaige (Schneider Electric)" , Bruno Vernay Subject: [scarthgap][PATCH 2/3] openssh: patch CVE-2026-35387 Date: Wed, 20 May 2026 10:29:31 +0200 Message-ID: <20260520082932.1979208-2-tgaige.opensource@witekio.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20260520082932.1979208-1-tgaige.opensource@witekio.com> References: <20260520082932.1979208-1-tgaige.opensource@witekio.com> X-ClientProxiedBy: ZR2P278CA0005.CHEP278.PROD.OUTLOOK.COM (2603:10a6:910:50::10) To AM9P192MB1396.EURP192.PROD.OUTLOOK.COM (2603:10a6:20b:3ad::23) MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: AM9P192MB1396:EE_|PA1P192MB3056:EE_ X-MS-Office365-Filtering-Correlation-Id: edd6bc17-8db5-46be-75f3-08deb649f680 X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0;ARA:13230040|1800799024|52116014|376014|366016|18002099003|13003099007|29003799003|12006099003|22082099003|56012099003|25016099003|38350700014; X-Microsoft-Antispam-Message-Info: dcUZd97fNVdo/z6OVX6ZTAj3b4ssmFuLHRzZLV+vbdc+Kml9C0PewebEV25aTaJ6iMHDRfszySMyEAsErH3ZoFyCV/DlKH3pBbZpU7nKgpi5dgDslDXZCuRIZzvdvBnoDjcBaOog1MiC40QHBYDpa5queN2QYeBNE7ETBCFUvlkaUbU0KZjH49fI9pqdnSa+SrT4zRPR5Rvo/Ks40VHgrEaZmUIjudAz/zJNBpy2if27rtRRWuKHxxQj5r4ktfh1ou/+VhaWsbDsthmnKLfRu99pX+5itP8sPZkEcrzsUItlLwpmZ4zf7rmYssoKCC1FQ9O6fdHxMkrwOr2jYRYZFO32IFRJjSSSlTj+mFzte6zFmCJ7044fppkd0oi87QODH5+pMjmWpo+4CK7hk4Fvv9CrkLZ1aRozUteiXQIaO07uo7tFm8h3QIzYEGrcCKbNd46Z+DHgRpWq3wIv4h54x3oC7jfcoTa2D0rGBxCRm+BUleUe4vYFY+h/T0IKHxNI0OhW68jSQAodqRzJF8x5xUP4GhtqvxPyWU7hfHTmQZqLivLb3fzfv4wf3tvsNPajNEq5OWuH+GWZqQcN5VPSmh1HjlmMHTgjjyiws/oj/YCzVwtYuRFrAC56VW3frxk/Pw52LQw55qAVRx0+78FM4DoyMg3rg6fb+qC/IGKDLFrsqtFMgm+0hyiwjsp2SVRPy1wLeMeOT1qCSPqpvu1mjw== X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:AM9P192MB1396.EURP192.PROD.OUTLOOK.COM;PTR:;CAT:NONE;SFS:(13230040)(1800799024)(52116014)(376014)(366016)(18002099003)(13003099007)(29003799003)(12006099003)(22082099003)(56012099003)(25016099003)(38350700014);DIR:OUT;SFP:1102; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: knBVAJF7q8hbUgIuLiJxVQtFaTaKlTW5cWq9rBtDh+ZYU8RonHVSk+YgRdqdyL+jRcrvub9MTAGjjwa3fmiY/wVKvWigiN5ZOQ3VhNeSvlLFgFfZSP+Lsr9VroEnKnj3aHUGn/xxzZEcU1tJ58DYDFPApKErQwEH/ewOTM5N8QAhWv5yAq1ZNHT5eUH85HLdDzbs31sA6f9FN3bI4bW/1gJ9nmFN4pSPPaRv9pneHmO59Z5q2zASUpEjz61JqFbq33T2vvvgfZusi2LmUFrqg3wl+FYY5ofWbX1MPAG9gAOfU1bFWs1YGldc7R5uZdMdFjO+eb0vyaBpa569BL/ul+IUnVrSK2eid8W9ekjULRAxk8kmO2fCu9OPCACh5Jmbflx7qdTkweW4CjkBDjaNKFciadOgS/UczxSpPmUcSYsdVuZTmS32FON/RTUqWaYwLCEnKTIb42OMe07cKJHeXfxQahO+obb6weBTvYh6fqGvOwyASQwK4Jkrns4P8KGNuoEac6XTeXeKqMxu2p3/wCxPkbmNBI3FOOA4zEgGMkO0jyro0mHBp/c0tfc3wXqY+pqIDYpnne9XS1B+zw6nEPrSxXY35pXNWkhQW6cekgr+VNs0Swpp3hYRIhrwGWRUEV+wAFyh//gE6vsVc5xHn5ZIY0bP4jLdoLziqE6W9FOoNLZCrwORyWMsIoDqlP9kTBgux9G1Q/LtaWozKKT2DD2+zkzAV6vf8uEprtQYzULG/XIRKp6TPaF6vnNmlMj90bBfbQY3iy3jsjcC4rocchgc3+Cm7f2Pg5bZ0462LpJS1OUdhP8BE+ZZ3IcTvK/+x863us1uSbNPEKgnWRj3NX6fIOAnjFc8U0cyBm66nglBY0rmav/kKCTJwGDK/lAF/VA3kXhVRjIPsow91+OrpD2yoTK/8uch0qjZRZ7XelSwHeN4VEYYdHNJKMUiktzvyQch4JxLpYTlCj4CxCjCJ9PwHUnklJl68vE/JEj4j9Kuk6XUx1rNrNI7qbf/SsyNm4vhQ3YDf4z/SXYT0ePyFPethsQfSXDOJ2NPNDnXG4xszX4SdbG7Df5MNdd564M8OLfbB1g8hcichONHudZDPjdiD7t7vCWuyFBrU2eunM/jY6mpYW+A70c/qQFfkWofUyZc5yW3v6YCAF2RfFpQ7JXPivz06tznNDIXK+WOVHdzc7a0QmfveW10zw2QtDKqRvm0Rjh5cbQYiyEgvKX87ersYg1JuQV5UHpsUqBd+huahhHHNEk9t1uTDvMNn7+ecZU8Ctue+zz6oT+baOpjgUScztpM4mOOTQklsVne1T/FcT/7PKaeG6OIAuxXrKIlUJw6P80zMXnZblNdbvJrptixoJAuOziUC1sILkiPVH9f581B5f/KAlqNbp1m0zT8LWVwm7p3cxl0AqrTTlaZ8hPWuVWl6OG7jzZL4STUhk3O+w0SJkm4UKHHovP1wFsy46DnKRDuSts2uQbeU8SBBOhqtg5uTx5D+/TuamDERqGO7Qbn2uiebZPSJHNOYuOUOoo1dMRxr1zeOxaZM5qS82l0Ln1Nx6TYn91PyLO2TfKVKFpnmCW0Mz8aU5hEOgHPhneJGoUjX9S3Lazisn6HYZF7fJvF4lNSGKeU4uH31TyPEi6q3p8+v2ZE6yGQy9Im6btNUeUWMGADY3L2K+lJIOlGjSZBOH7YVr3zrsJ0VsargoIQDzZ4Lij/Rz1L4414Gu3e/qNddfWTScozYC/xDA== X-Exchange-RoutingPolicyChecked: Xo440vXu1NxALvYlGTJsuByrgjJrpRFiRdkKdQGJUHgL0NKkEXoJk0vZSd/wK00r6/kSYUArKkQIdgej6pbe/mBrBM+fYIgd4JT7qSapp9cEPs9yCH6OrEM9dS4O3wpkTjk+0fsfHeBVvRqEFPx/z+RKAIhQYMNMKENYzoP+9pO0kZxqIuUQ/oYfvhKdd0ACRVfxcJp0nXveJiGhb09CceFeXe1TGrvpre53fCcs/wfwSsgCQDEDoqMYgkSD3m40YJNopeJYfljJ6hgcaa8zg51G5teOdAMMJjKXljfwbt6VSQzy2xsBhb7jQjrKFvj7Tltk5lJEKCx5N9SyKidbSQ== X-MS-Exchange-AntiSpam-ExternalHop-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-ExternalHop-MessageData-0: jWONXCeP4b+NMGXB9K7uVqddhoGzz8J/bZ7d8XsRaQgmNs9M3u+lBshmG/8Jb2hKfQwPSVqqz4xPsHQYdZhRbyUNWsoZ7zwccfT2eSdpIFHCEBKemYd8qgT/77egJRz3UTjDj4mswLwL1qdcT4ruRbL4NmBrUNdCyBl2A9Pmex7GLd2pgkTBIf/+Ia8COR9+3rNUjwBxRfk1D9QBDJxM1Oh0bDHkCZtfheMGmi1KzznQDoMHz3cHk/f3wGA3t2n6eNPyaOPe/wj+nSMGESWeIMpi6P6ngSvbl1VECvH67HlQlOX7PxMaOr/auEiZtGgt1CVOSCvY+HIH9Ml6cwg2dC5CceA/sOF3e9qlIykna003gxeVVik5Uno/lZKb+UXamBVXhktQLghDCf1WlipYOW0dwE8dKa9JUVrUBADORvGgZ9g8+Jg8zvf7Waja1oFfA4t9jzxI2R5WGIi0FsEjQq5aljh3VNcPi2TOie+BEEuwNaxlODLaHQmPsZ/eSORJDyMzEDP5bAPvBsvSlYK/EHY12UG9flnHaFsGATyIj6KqkXHrcCINCHwBfSczY8wEcA8s+mTs8y27UajwcNMvv4u9QTfYfDhDuWHQ8HXcfAP3Q9bsDiNnbRtVnUrxA5XR X-OriginatorOrg: witekio.com X-MS-Exchange-CrossTenant-Network-Message-Id: edd6bc17-8db5-46be-75f3-08deb649f680 X-MS-Exchange-CrossTenant-AuthSource: AM9P192MB1396.EURP192.PROD.OUTLOOK.COM X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 20 May 2026 08:29:51.8772 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 317e086a-301a-49af-9ea4-48a1c458b903 X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: GoC+6veJD9kpRdbpbu2IphkeoE50Drn/BIgmus0t9iVcvpT5XT0dFPTZh7eMLCDRUoookAbaHS2QLpd1JY6hCw== X-MS-Exchange-Transport-CrossTenantHeadersStamped: PA1P192MB3056 X-cloud-security-sender: tgaige@witekio.com X-cloud-security-recipient: openembedded-core@lists.openembedded.org X-cloud-security-crypt: load encryption module X-cloud-security-Mailarchiv: E-Mail archived for: tgaige.opensource@witekio.com X-cloud-security-Mailarchivtype: outbound X-cloud-security-Virusscan: CLEAN X-cloud-security-disclaimer: This E-Mail was scanned by E-Mailservice on mx-gate83-hz1 with 4gL4Ts2fK1z2Mc3B X-cloud-security-connect: mail-francecentralazon11023098.outbound.protection.outlook.com[40.107.162.98], TLS=1, IP=40.107.162.98 X-cloud-security-Digest: 9ff4891eadd9dcbfc861387167219457 X-cloud-security: scantime:1.108 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 20 May 2026 08:30:03 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/237429 From: "Theo Gaige (Schneider Electric)" Backport patch from [1] matching CVE description in [2] and change described in release note [3]. [1] https://github.com/openssh/openssh-portable/commit/fd1c7e131f331942d20f42f31e79912d570081fa [2] https://security-tracker.debian.org/tracker/CVE-2026-35387 [3] https://www.openssh.org/releasenotes.html#10.3p1 Signed-off-by: Theo Gaige (Schneider Electric) Reviewed-by: Bruno Vernay --- .../openssh/openssh/CVE-2026-35387.patch | 205 ++++++++++++++++++ .../openssh/openssh_9.6p1.bb | 1 + 2 files changed, 206 insertions(+) create mode 100644 meta/recipes-connectivity/openssh/openssh/CVE-2026-35387.patch diff --git a/meta/recipes-connectivity/openssh/openssh/CVE-2026-35387.patch b/meta/recipes-connectivity/openssh/openssh/CVE-2026-35387.patch new file mode 100644 index 0000000000..c4806bd993 --- /dev/null +++ b/meta/recipes-connectivity/openssh/openssh/CVE-2026-35387.patch @@ -0,0 +1,205 @@ +From faaf123656513f16994853379c388ad8cc850f8c Mon Sep 17 00:00:00 2001 +From: "djm@openbsd.org" +Date: Thu, 2 Apr 2026 07:48:13 +0000 +Subject: [PATCH] upstream: correctly match ECDSA signature algorithms against + +algorithm allowlists: HostKeyAlgorithms, PubkeyAcceptedAlgorithms and +HostbasedAcceptedAlgorithms. + +Previously, if any ECDSA type (say "ecdsa-sha2-nistp521") was +present in one of these lists, then all ECDSA algorithms would +be permitted. + +Reported by Christos Papakonstantinou of Cantina and Spearbit. + +OpenBSD-Commit-ID: c790e2687c35989ae34a00e709be935c55b16a86 + +CVE: CVE-2026-35387 +Upstream-Status: Backport [https://github.com/openssh/openssh-portable/commit/fd1c7e131f331942d20f42f31e79912d570081fa] +Signed-off-by: Theo Gaige (Schneider Electric) +--- + auth2-hostbased.c | 9 +++++---- + auth2-pubkey.c | 9 +++++---- + auth2-pubkeyfile.c | 26 +++++++++++++++----------- + sshconnect2.c | 28 ++++++++++++++++++---------- + 4 files changed, 43 insertions(+), 29 deletions(-) + +diff --git a/auth2-hostbased.c b/auth2-hostbased.c +index 06bb464ff..02eeed3f0 100644 +--- a/auth2-hostbased.c ++++ b/auth2-hostbased.c +@@ -1,4 +1,4 @@ +-/* $OpenBSD: auth2-hostbased.c,v 1.52 2023/03/05 05:34:09 dtucker Exp $ */ ++/* $OpenBSD: auth2-hostbased.c,v 1.57 2026/04/02 07:48:13 djm Exp $ */ + /* + * Copyright (c) 2000 Markus Friedl. All rights reserved. + * +@@ -95,9 +95,10 @@ userauth_hostbased(struct ssh *ssh, const char *method) + error_f("cannot decode key: %s", pkalg); + goto done; + } +- if (key->type != pktype) { +- error_f("type mismatch for decoded key " +- "(received %d, expected %d)", key->type, pktype); ++ if (key->type != pktype || (sshkey_type_plain(pktype) == KEY_ECDSA && ++ sshkey_ecdsa_nid_from_name(pkalg) != key->ecdsa_nid)) { ++ error_f("key type mismatch for decoded key " ++ "(received %s, expected %s)", sshkey_ssh_name(key), pkalg); + goto done; + } + if (match_pattern_list(pkalg, options.hostbased_accepted_algos, 0) != 1) { +diff --git a/auth2-pubkey.c b/auth2-pubkey.c +index 3f49e1df3..1e07ff74e 100644 +--- a/auth2-pubkey.c ++++ b/auth2-pubkey.c +@@ -1,4 +1,4 @@ +-/* $OpenBSD: auth2-pubkey.c,v 1.119 2023/07/27 22:25:17 djm Exp $ */ ++/* $OpenBSD: auth2-pubkey.c,v 1.126 2026/04/02 07:48:13 djm Exp $ */ + /* + * Copyright (c) 2000 Markus Friedl. All rights reserved. + * Copyright (c) 2010 Damien Miller. All rights reserved. +@@ -148,9 +148,10 @@ userauth_pubkey(struct ssh *ssh, const char *method) + error_f("cannot decode key: %s", pkalg); + goto done; + } +- if (key->type != pktype) { +- error_f("type mismatch for decoded key " +- "(received %d, expected %d)", key->type, pktype); ++ if (key->type != pktype || (sshkey_type_plain(pktype) == KEY_ECDSA && ++ sshkey_ecdsa_nid_from_name(pkalg) != key->ecdsa_nid)) { ++ error_f("key type mismatch for decoded key " ++ "(received %s, expected %s)", sshkey_ssh_name(key), pkalg); + goto done; + } + if (auth2_key_already_used(authctxt, key)) { +diff --git a/auth2-pubkeyfile.c b/auth2-pubkeyfile.c +index 31e7481fb..869c8e055 100644 +--- a/auth2-pubkeyfile.c ++++ b/auth2-pubkeyfile.c +@@ -1,4 +1,4 @@ +-/* $OpenBSD: auth2-pubkeyfile.c,v 1.4 2023/03/05 05:34:09 dtucker Exp $ */ ++/* $OpenBSD: auth2-pubkeyfile.c,v 1.8 2026/04/02 07:48:13 djm Exp $ */ + /* + * Copyright (c) 2000 Markus Friedl. All rights reserved. + * Copyright (c) 2010 Damien Miller. All rights reserved. +@@ -50,6 +50,7 @@ + #include "authfile.h" + #include "match.h" + #include "ssherr.h" ++#include "xmalloc.h" + + int + auth_authorise_keyopts(struct passwd *pw, struct sshauthopt *opts, +@@ -146,20 +147,23 @@ auth_authorise_keyopts(struct passwd *pw, struct sshauthopt *opts, + static int + match_principals_option(const char *principal_list, struct sshkey_cert *cert) + { +- char *result; ++ char *list, *olist, *entry; + u_int i; + +- /* XXX percent_expand() sequences for authorized_principals? */ +- +- for (i = 0; i < cert->nprincipals; i++) { +- if ((result = match_list(cert->principals[i], +- principal_list, NULL)) != NULL) { +- debug3("matched principal from key options \"%.100s\"", +- result); +- free(result); +- return 1; ++ olist = list = xstrdup(principal_list); ++ for (;;) { ++ if ((entry = strsep(&list, ",")) == NULL || *entry == '\0') ++ break; ++ for (i = 0; i < cert->nprincipals; i++) { ++ if (strcmp(entry, cert->principals[i]) == 0) { ++ debug3("matched principal from key i" ++ "options \"%.100s\"", entry); ++ free(olist); ++ return 1; ++ } + } + } ++ free(olist); + return 0; + } + +diff --git a/sshconnect2.c b/sshconnect2.c +index a5f92f04c..a296c9b8c 100644 +--- a/sshconnect2.c ++++ b/sshconnect2.c +@@ -1,4 +1,4 @@ +-/* $OpenBSD: sshconnect2.c,v 1.371 2023/12/18 14:45:49 djm Exp $ */ ++/* $OpenBSD: sshconnect2.c,v 1.385 2026/04/02 07:48:13 djm Exp $ */ + /* + * Copyright (c) 2000 Markus Friedl. All rights reserved. + * Copyright (c) 2008 Damien Miller. All rights reserved. +@@ -91,6 +91,7 @@ extern Options options; + static char *xxx_host; + static struct sockaddr *xxx_hostaddr; + static const struct ssh_conn_info *xxx_conn_info; ++static int key_type_allowed(struct sshkey *, const char *); + + static int + verify_host_key_callback(struct sshkey *hostkey, struct ssh *ssh) +@@ -100,6 +101,10 @@ verify_host_key_callback(struct sshkey *hostkey, struct ssh *ssh) + if ((r = sshkey_check_rsa_length(hostkey, + options.required_rsa_size)) != 0) + fatal_r(r, "Bad server host key"); ++ if (!key_type_allowed(hostkey, options.hostkeyalgorithms)) { ++ fatal("Server host key %s not in HostKeyAlgorithms", ++ sshkey_ssh_name(hostkey)); ++ } + if (verify_host_key(xxx_host, xxx_hostaddr, hostkey, + xxx_conn_info) != 0) + fatal("Host key verification failed."); +@@ -1608,34 +1613,37 @@ load_identity_file(Identity *id) + } + + static int +-key_type_allowed_by_config(struct sshkey *key) ++key_type_allowed(struct sshkey *key, const char *allowlist) + { +- if (match_pattern_list(sshkey_ssh_name(key), +- options.pubkey_accepted_algos, 0) == 1) ++ if (match_pattern_list(sshkey_ssh_name(key), allowlist, 0) == 1) + return 1; + + /* RSA keys/certs might be allowed by alternate signature types */ + switch (key->type) { + case KEY_RSA: +- if (match_pattern_list("rsa-sha2-512", +- options.pubkey_accepted_algos, 0) == 1) ++ if (match_pattern_list("rsa-sha2-512", allowlist, 0) == 1) + return 1; +- if (match_pattern_list("rsa-sha2-256", +- options.pubkey_accepted_algos, 0) == 1) ++ if (match_pattern_list("rsa-sha2-256", allowlist, 0) == 1) + return 1; + break; + case KEY_RSA_CERT: + if (match_pattern_list("rsa-sha2-512-cert-v01@openssh.com", +- options.pubkey_accepted_algos, 0) == 1) ++ allowlist, 0) == 1) + return 1; + if (match_pattern_list("rsa-sha2-256-cert-v01@openssh.com", +- options.pubkey_accepted_algos, 0) == 1) ++ allowlist, 0) == 1) + return 1; + break; + } + return 0; + } + ++static int ++key_type_allowed_by_config(struct sshkey *key) ++{ ++ return key_type_allowed(key, options.pubkey_accepted_algos); ++} ++ + /* obtain a list of keys from the agent */ + static int + get_agent_identities(struct ssh *ssh, int *agent_fdp, +-- +2.43.0 + diff --git a/meta/recipes-connectivity/openssh/openssh_9.6p1.bb b/meta/recipes-connectivity/openssh/openssh_9.6p1.bb index 3a9010a7a4..9267bbd2c9 100644 --- a/meta/recipes-connectivity/openssh/openssh_9.6p1.bb +++ b/meta/recipes-connectivity/openssh/openssh_9.6p1.bb @@ -35,6 +35,7 @@ SRC_URI = "http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${PV}.tar file://CVE-2025-61985.patch \ file://CVE-2025-61984.patch \ file://CVE-2026-35385.patch \ + file://CVE-2026-35387.patch \ " SRC_URI[sha256sum] = "910211c07255a8c5ad654391b40ee59800710dd8119dd5362de09385aa7a777c" From patchwork Wed May 20 08:29:32 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: tgaige.opensource@witekio.com X-Patchwork-Id: 88519 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 9662BCD4F54 for ; Wed, 20 May 2026 08:30:23 +0000 (UTC) Received: from mx-relay19-hz12-if1.hornetsecurity.com (mx-relay19-hz12-if1.hornetsecurity.com [94.100.139.219]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.7385.1779265813439290463 for ; Wed, 20 May 2026 01:30:14 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@witekio.com header.s=selector1 header.b=ERYGoZNh; spf=permerror, err=parse error for token &{10 18 spf.hornetsecurity.com}: limit exceeded (domain: witekio.com, ip: 94.100.139.219, mailfrom: tgaige@witekio.com) ARC-Authentication-Results: i=2; mx-gate19-hz12.hornetsecurity.com 1; spf=pass reason=mailfrom (ip=40.107.130.129, headerfrom=witekio.com) smtp.mailfrom=witekio.com smtp.helo=mrwpr03cu001.outbound.protection.outlook.com; dkim=pass header.d=witekio.com header.s=selector1 header.a=rsa-sha256; dmarc=pass header.from=witekio.com orig.disposition=pass ARC-Message-Signature: a=rsa-sha256; bh=XX3SC3ncgltKsdBsQj7wGOnlLw7DqS3IfHhPTz85ZPA=; c=relaxed/relaxed; d=hornetsecurity.com; h=from:to:date:subject:mime-version:; i=2; s=hse1; t=1779265808; b=Hk5eReoTTSehIuVs3lMgEdIC9JoOcg+MdqykmO+sUfg9vqxp0J/Rivb8HYZcJ2TvjN5/TIbf CIjfn7ZS+rAjcVwmmBKzsN5+qumjBra+w//zg1fi+LK45qbryDqVCObYsMFEC0LqfijdCo7qb2B T/b/Cz4pEsqcp+e+kXb6o9nZ1VY4ozfdtl+uJQ/q0y4R+NRep1e5ln1d/LYO7LZ9wd+5FOl2iUG Bu4SNL5A+d1A1Ws65Wlt3qXnRax9Blq0YMLHdU6G8tpQvrZi3u5NN1PHWa0bmqh3lBPnQmwDij8 XvFAuSVMVjAmBxdNObOtv+44F2NKwTbUh4AjHtwOS3rJA== ARC-Seal: a=rsa-sha256; cv=pass; d=hornetsecurity.com; i=2; s=hse1; t=1779265808; b=dG+9a2TaVGMF9rPGoN0xjysy1eiXQcTy2Itvqb+MxuSXZkNuoXqDq1cIH4hb2fnYGVSBag4v 8wQFWKE5l8IaMbTNJQmYBH/GfJhfACQhWiL10Hat0ZUstb3yPhdGiBXD5DXCorDfOAhfEk0dEe7 0GdXw3AGhQaHKKvg23gQvomgTzWL4k123+YyJQAz6Nr7xdwYaYn3l7FIACF9RTQgCvDB4KD54Y+ ZD6jBsZF5zzM54kXZO4VCj12jtQ2jWvPV6cn7nElj10nFZnnb3xiVwF2zM/EzgiAIN4dKDXtThg Gp1KNNz0Q9sd1wBE7MEfF3JKdFKqfmNrNBvVCaYoDy35Q== Received: from mail-francesouthazon11021129.outbound.protection.outlook.com ([40.107.130.129]) by mx-gate19-hz12; Wed, 20 May 2026 10:30:08 +0200 ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=DfYJ/+KESgKJonugt1e8mJ30Ix0slrPjDdBGXk5FjJ8wDIEgYM/FCXTeO2ELCmew1YUas7jyjvTdkKLhW3/drTT+BOvyzw8A6DyQgGbzJ8MIBzcB4+MAhtQFjmdb/UFy3crms+M2Ejl0wCiCD1nfkJtIMcrZQXP/r1dgSvnYlNS82TtfJCum8VQz8yXPL3ytFU3OzOnQ8yUB0J5Dsh1cypimlCy65Jvf4DElg/hOpsbCAb3ubjw0/9Lk97zsAgOPiUT2SQqzEpd8oYhWFvzk5BIqttv3W2RB/A27cRys4Ucpx+QVMtMGSWJSjhnZLR9jDLysBIY2NpqZ/H8BaYUQig== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=XX3SC3ncgltKsdBsQj7wGOnlLw7DqS3IfHhPTz85ZPA=; b=niI7E65lejzVtvzzJ48Ya4CXhIC1BLk9r4/wO5qYX0CuwroP5KC1kb7vkZ5/yMTe1axt5rzCzEEbNYnasu7HaWPJj7ASJTZY0cijgqoThbyNGBt4AEymSsJYwWvbadHbrHvwoqasJJYDjaYJHT8dikPcShStCHYQHLevXwGGVjZpSNu6p3Tg+rliX6DIKV75FLZ8jiRDCFkilZIGcOYL8CpqXF6ro1aotOQeCcW1bHONVUpmyOZoDp/SEbgoX/NMQcGkWR+Qoyo4JIoEhSxs35xmrJCuNPNEkp5JbbFiwRfO+NlWz+k8YxaUqXmOt1ra5cY7XspohyZ4uVVxU01/Og== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=witekio.com; dmarc=pass action=none header.from=witekio.com; dkim=pass header.d=witekio.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=witekio.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=XX3SC3ncgltKsdBsQj7wGOnlLw7DqS3IfHhPTz85ZPA=; b=ERYGoZNhZslu2uhFAw36y60ryVtBlk5Xx7EHqRAY38Twnk4VslETPZXvh2h7emtgFmTlUEBkjFej0HHwl7/UB90OO7Q5y4JHcQAncz0wt32grAkjUMgTxNDwtzLEpZ1WYnXmn0rc/y8o6DaRI6aAhpvIXp41Wt3MwHrLDADwkAvAvADT6f8NtVl0uBxYNlFrlGLda1Qg2zCaj8EpxCgh0w3dQcxEdiluME4JygNCD+piLrBjYsLfiSjixhbvCoHpw5/65zRchf3ZsjxGdcqZRA1mFpG/PRqTmpMd027+hUBFBieMcxR9e2wMjX6hMFlzIc6Mz/oTTovmkdVe7L2RMg== Authentication-Results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=witekio.com; Received: from AM9P192MB1396.EURP192.PROD.OUTLOOK.COM (2603:10a6:20b:3ad::23) by PA1P192MB3056.EURP192.PROD.OUTLOOK.COM (2603:10a6:102:4e0::13) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.21.48.14; Wed, 20 May 2026 08:29:53 +0000 Received: from AM9P192MB1396.EURP192.PROD.OUTLOOK.COM ([fe80::25ed:86ef:4d24:3d38]) by AM9P192MB1396.EURP192.PROD.OUTLOOK.COM ([fe80::25ed:86ef:4d24:3d38%5]) with mapi id 15.21.0025.023; Wed, 20 May 2026 08:29:53 +0000 From: tgaige.opensource@witekio.com To: openembedded-core@lists.openembedded.org Cc: hsimeliere.opensource@witekio.com, "Theo Gaige (Schneider Electric)" , Bruno Vernay Subject: [scarthgap][PATCH 3/3] openssh: patch CVE-2026-35388 Date: Wed, 20 May 2026 10:29:32 +0200 Message-ID: <20260520082932.1979208-3-tgaige.opensource@witekio.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20260520082932.1979208-1-tgaige.opensource@witekio.com> References: <20260520082932.1979208-1-tgaige.opensource@witekio.com> X-ClientProxiedBy: ZR2P278CA0005.CHEP278.PROD.OUTLOOK.COM (2603:10a6:910:50::10) To AM9P192MB1396.EURP192.PROD.OUTLOOK.COM (2603:10a6:20b:3ad::23) MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: AM9P192MB1396:EE_|PA1P192MB3056:EE_ X-MS-Office365-Filtering-Correlation-Id: 37316fb4-89ef-4daa-4909-08deb649f7b4 X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0;ARA:13230040|1800799024|52116014|376014|366016|18002099003|13003099007|12006099003|22082099003|56012099003|38350700014; X-Microsoft-Antispam-Message-Info: xkfkELaRBahwWxygUBgdShTaHef/h12jmpHZ2a0RWPsH36uPVtHY+E0H8elVJQrxb7mfu071yS/b7XXCk1Jhc0rSCo4VsPA9Y4mw0oewZ6bT4zQgUbO7gjLkvBF2IlA9EQ3zZRWDhNGSjFfKnhBXwNr9A8/C9wfJkbdvAH9lpe1YlACAWCKM3SgzIt9hDHtvkdlntEWfp7lpZl52XewM9pb3W1w4W34cWygsD88rBQpQzFdFk/c+Q5EJcFLxntFEsZTg9fsSTDaZ+Eq2VxhcW2VDu8n/NF6qePWxHM5/jlYOELT645Lrh0sMikyzqPd2svjB5ZQq3R5qI+SSOsmXBp0JN1FgaIXHcdJhSuGQTLwZfPU4/KOE5O5253okH1a1+LjmBrY7NIKuG7xcMvI1aIozCtfDX52YpKlk6x4naPVl2pVZ2EjDBXoOAnkxeEZe73dd+BFgsLmWBCpgCShau9Hk997j7t+KCHcHmfULGnjIG5RJVRlas3oV7omgKSrq8x3Tof66oOh2ewinxkFv3xS110pL7WT7XBW3oRL6XrXWlFDOxqm1/ovRczIrWHbTIgsif7hZ/ZGVU8PeAiFkcrIpYNx5gVBUzORrA8ev+HWnt9PynmVslZb+1ExpEwFKbY5zZDi/QvTs0BIKBacUeP6LC/HcqU+bTaLEqdvZrL0RmVb+g8UzvtU7f4tJCRYAod+Sw1Wqg0oYho6YDqIwkw== X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:AM9P192MB1396.EURP192.PROD.OUTLOOK.COM;PTR:;CAT:NONE;SFS:(13230040)(1800799024)(52116014)(376014)(366016)(18002099003)(13003099007)(12006099003)(22082099003)(56012099003)(38350700014);DIR:OUT;SFP:1102; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: tzaOFcCW34ZFQYGp+lwjf0vsC8Fo+teDujJQrKDYO2fp7YFi5/aNUGlCGJ36NYRHnlpXmecV8gBVjSzi1yXRVCuhCNMK8Z1n9YxK7s7cuxeilTocFVYSu2soam01mZkEqY1wr/ninUndGJykoYPKK3PTz/MpfCbJfwHJn/O74ixgYZvVJ3JRT3If2L+sAXIA/wdRdJpj83aD7s9l2118PhrckMyzUzcSrJJONh+i6EsO6UgCbaUfI0xbyoguRTkYZC9ganS3F8E1Wb+P5evYl5B3xLvDCDHXs7I5HdsrAQmP4kriOGmIwF7UzLaOWOHmd4ZwFI4IozYHZq09BSaKRosR03NiZ5cRH/0w19DDofzcONgGRSrbWSRuiFEUfSZe1JCmb3F5Fvi9yUuUcCsDQKq5WgrbQwaHyrlis/Dsu4TbX4keu0FrmAzjnjnJTzBHcMuUzpmK1BPBaNRbpjhYH9b9vZflclMzhMENnwNOOyyBCOVLXk0XwaNIpuu+tvaY99O3kcdx+aLXd9okqbxBnJMWkKly3TIg6MOf0DV0Ri1zdt2MTX/srFigDTBPOJ/m5pClaZ5FaMNuI+UL/qF8spyG5dfppgpPss8f13p7DWkC3Iudk66480c5eMIgnr93lQAaDyslokgNBMXnWzPUwgDMe0GreL4vf7vZClU53Xpi3RdLPgNLYTbdwu3qkrvST+e9yyU4JqZE+4siZXfRtO1dkYS8vlqznKBX/685PvsksJDLDjBdL90+VUY21y+rS0UwxpEiGO1ezOeC4GOvfRR5D1AW8jnxt7pzurfOTyKwW6+0ZE2s0eVcymPrXQN0bUe6K8lH26CjOEahyG8v6+b6PFcGAIs1wX7S4WctNr52wDId+vHCLQnWVQVx8pYG+63l9UhDRC8PuMOX1YogFMs4Fl5fTILqSzJKkFNGPTnMMCzKAuLbhZBTBOJWpbUnR9BihOE4GQTXB5VeH0pA8PHKAlr62cjVKBF0USZwXIV6rK2gnwzG49trKAAXiqd9lrA7FZ/GGFeZJRNuCirD6wvS406QksvVq7tf9mka3j8/fqnyURqRm6hPcD3bxIX7i5tzqV01O4DISqRXTL6l7gDZ+98zM4hKl1mfnwPfsCT8Wq/EpqwJkM/jn2vA2txdPqtTr7rb2OpHJ2wqG35RmG7+yw5aieBJ6T9Rdv/RkNZfJXF213k+izM5eKz5xAlG5gJZmh/pD8MGUviezNCjQ+ZDGq4RzQUhhoWtgBDpFcPcIHhsD8d9FPGHd9EQuPmaObfLn4VDNxCkC5bxNvYn9cb8P73kINsgU1pdexWwIHv3Efkk9kzmL6P+O0kqf7ztiLZgljr8OYOdC8Ox6LShKbwwxwQTUR5wYHaf7C026u2lwIRm+16WYC72VYuUBcycHrqkJe/22kxo52TSBbNVT9AKe4vlG/78+E/1/dRuW+KksdX2OaVHbJmAQsllEvjdy+JbT0/ZJ/tHqIq5q3MoyoNEHEe5Xc0Gg/b524EF9jVjjeEl+LZ+162fXHXeGlUpIprXl+cp6g+k5yKENKRAJShXS6LlMQLIxvsaHzN5VgVZyzRBSvl4tMTK32sBTfbWlXmAFMdqUX+XSiF+PWfEOfv5Mu+hmYj/1peuWuqgt/6nH5hd9tJWxwqnH2PNVSd+DNMIYB8duwQvso6H2iAjnglnPxohcX9m/1ORRvIc9U/PCTue6SXZXQmFXr71W2/3ShnJ9lhugUF4s8zukQwr6w== X-Exchange-RoutingPolicyChecked: msx0YvDk6HCe2tLLlOvyBBu2mEK7CLXUsI5JoviRPJIpipmnQRwITFfuHZLQc2J66H6VqpwZGmfyyNoZXWRyVIEEhKZpDbIEEwj2A5M0c3TsmfRbYBqiJiIYeP8xcdbdWn0PUG7OsiDfOofnRtM7Z6LkFo7kQfmA/OHi/Oa+DEftNHxt9PVtS0TOZnNrwv5ZPM4+pqlCsdAEwyH9Un8QC+4rGMmzzTKv3IyEO4dKlDmH0r/mPOTrIoHE5Hm2zaj7RrI9dO6EBvBw+mcFYFC7DaeAqZ47E9jTrbTRZOWZ9Fk+JnPZIqG8nyOkp11/LIpvbWkb18DypcoiWDoF5GaJAg== X-MS-Exchange-AntiSpam-ExternalHop-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-ExternalHop-MessageData-0: hqf5tQzfn7kCeZl1zgMMhKGRb9mC5du3X1GHQbDT9qHASDd2L3suh6Fy3Y9cwtFA+C+qG6QGvlpTVMI25mf3EE2ETWXythJ1VjTlJGgxnJonc9Yq4AH8L8ty1DFM/aY/s65oPIRYXXRX0a0A+qpPWIMnXIsOEHdDP5mZFZv1dOxtLEGgIJCPj9XgWqiQq6aO53GCD0wi3MmWYx1KAKHs7igDnU7FyOMOfLsF2eaZ76PomGppIizO/FfVdz4Rc5iw46hb7opvJs0kbmVlSkZ0GsFJMWZcKLivr/OM8lThcvmzYBMXi+ZHBAmKlWSBgqTCVnZ1ST4gAycD6qp/CQR65raccEsEZNXhaRtMOCjl9FjtUTGJY3PNLPTAyjVxAwNXMZoXak5IRk62JXUNEMK2T7cNG6OQWWDm0KLZ6hc+MbX1vx4mh8TMTxRtMhIp/uW2GVLHVWzIV2vLQrPFyT/Lt2QrOuoFQ3q1ZK0dmgko56h15sFU8KpgF8fpUamSntk7kjMmC8vcenMDaBZQMj1NOn5aEghO8pTkys6hVQDM0QDnSLfdwoTSM1IYz6o0A8bsQ2cavBpwQAwkqmx9mZXSq8PDhJKMpZrNhTrGtsHPESaQE0hgjJekOnFxZtHzYVIP X-OriginatorOrg: witekio.com X-MS-Exchange-CrossTenant-Network-Message-Id: 37316fb4-89ef-4daa-4909-08deb649f7b4 X-MS-Exchange-CrossTenant-AuthSource: AM9P192MB1396.EURP192.PROD.OUTLOOK.COM X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 20 May 2026 08:29:53.8827 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 317e086a-301a-49af-9ea4-48a1c458b903 X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: NL9uVeHJ/amblsmW2dOgzzERvwpL2CrcCBIVDgfBLMAZiHyySrrdHLl5ApeRDsGEiftDE7PZLdtWBT8PFIv/ZA== X-MS-Exchange-Transport-CrossTenantHeadersStamped: PA1P192MB3056 X-cloud-security-sender: tgaige@witekio.com X-cloud-security-recipient: openembedded-core@lists.openembedded.org X-cloud-security-crypt: load encryption module X-cloud-security-Mailarchiv: E-Mail archived for: tgaige.opensource@witekio.com X-cloud-security-Mailarchivtype: outbound X-cloud-security-Virusscan: CLEAN X-cloud-security-disclaimer: This E-Mail was scanned by E-Mailservice on mx-gate19-hz12 with 4gL4Tx5rMZz1mtbB X-cloud-security-connect: mail-francesouthazon11021129.outbound.protection.outlook.com[40.107.130.129], TLS=1, IP=40.107.130.129 X-cloud-security-Digest: 606195b22e641994da6476af4d508f04 X-cloud-security: scantime:1.767 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 20 May 2026 08:30:23 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/237430 From: "Theo Gaige (Schneider Electric)" Backport patch from [1] matching CVE description in [2] and change described in release note [3]. [1] https://github.com/openssh/openssh-portable/commit/c805b97b67c774e0bf922ffb29dfbcda9d7b5add [2] https://security-tracker.debian.org/tracker/CVE-2026-35388 [3] https://www.openssh.org/releasenotes.html#10.3p1 Signed-off-by: Theo Gaige (Schneider Electric) Reviewed-by: Bruno Vernay --- .../openssh/openssh/CVE-2026-35388.patch | 47 +++++++++++++++++++ .../openssh/openssh_9.6p1.bb | 1 + 2 files changed, 48 insertions(+) create mode 100644 meta/recipes-connectivity/openssh/openssh/CVE-2026-35388.patch diff --git a/meta/recipes-connectivity/openssh/openssh/CVE-2026-35388.patch b/meta/recipes-connectivity/openssh/openssh/CVE-2026-35388.patch new file mode 100644 index 0000000000..d5afe2538f --- /dev/null +++ b/meta/recipes-connectivity/openssh/openssh/CVE-2026-35388.patch @@ -0,0 +1,47 @@ +From be42fe5ce64f2798048161a891083ef12780ca2a Mon Sep 17 00:00:00 2001 +From: "djm@openbsd.org" +Date: Thu, 2 Apr 2026 07:39:57 +0000 +Subject: [PATCH] upstream: add missing askpass check when using + +ControlMaster=ask/autoask and "ssh -O proxy ..."; reported by Michalis +Vasileiadis + +OpenBSD-Commit-ID: 8dd7b9b96534e9a8726916b96d36bed466d3836a + +CVE: CVE-2026-35388 +Upstream-Status: Backport [https://github.com/openssh/openssh-portable/commit/c805b97b67c774e0bf922ffb29dfbcda9d7b5add] +Signed-off-by: Theo Gaige (Schneider Electric) +--- + mux.c | 12 +++++++++++- + 1 file changed, 11 insertions(+), 1 deletion(-) + +diff --git a/mux.c b/mux.c +index d598a17e2..c841feb79 100644 +--- a/mux.c ++++ b/mux.c +@@ -1,4 +1,4 @@ +-/* $OpenBSD: mux.c,v 1.101 2023/11/23 03:37:05 dtucker Exp $ */ ++/* $OpenBSD: mux.c,v 1.113 2026/04/02 07:39:57 djm Exp $ */ + /* + * Copyright (c) 2002-2008 Damien Miller + * +@@ -1137,6 +1137,16 @@ mux_master_process_proxy(struct ssh *ssh, u_int rid, + + debug_f("channel %d: proxy request", c->self); + ++ if (options.control_master == SSHCTL_MASTER_ASK || ++ options.control_master == SSHCTL_MASTER_AUTO_ASK) { ++ if (!ask_permission("Allow multiplex proxy connection?")) { ++ debug2_f("proxy refused by user"); ++ reply_error(reply, MUX_S_PERMISSION_DENIED, rid, ++ "Permission denied"); ++ return 0; ++ } ++ } ++ + c->mux_rcb = channel_proxy_downstream; + if ((r = sshbuf_put_u32(reply, MUX_S_PROXY)) != 0 || + (r = sshbuf_put_u32(reply, rid)) != 0) +-- +2.43.0 + diff --git a/meta/recipes-connectivity/openssh/openssh_9.6p1.bb b/meta/recipes-connectivity/openssh/openssh_9.6p1.bb index 9267bbd2c9..a1b5d4a553 100644 --- a/meta/recipes-connectivity/openssh/openssh_9.6p1.bb +++ b/meta/recipes-connectivity/openssh/openssh_9.6p1.bb @@ -36,6 +36,7 @@ SRC_URI = "http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${PV}.tar file://CVE-2025-61984.patch \ file://CVE-2026-35385.patch \ file://CVE-2026-35387.patch \ + file://CVE-2026-35388.patch \ " SRC_URI[sha256sum] = "910211c07255a8c5ad654391b40ee59800710dd8119dd5362de09385aa7a777c"