diff --git a/SPECS/openssh/CVE-2026-35385.patch b/SPECS/openssh/CVE-2026-35385.patch new file mode 100644 index 00000000000..7ead178f72a --- /dev/null +++ b/SPECS/openssh/CVE-2026-35385.patch @@ -0,0 +1,39 @@ +From b49e0d724dc1d934a29bc2ef5d09914a8ea989e0 Mon Sep 17 00:00:00 2001 +From: AllSpark +Date: Mon, 6 Apr 2026 08:28:45 +0000 +Subject: [PATCH] upstream: when downloading files as root in legacy (-O) mode + and without the -p flag, clear setuid/setgid bits from downloaded files; + update RCSID + +Signed-off-by: Azure Linux Security Servicing Account +Upstream-reference: AI Backport of https://github.com/openssh/openssh-portable/commit/487e8ac146f7d6616f65c125d5edb210519b833a.patch +--- + scp.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/scp.c b/scp.c +index 0779c3c..18d3fd9 100644 +--- a/scp.c ++++ b/scp.c +@@ -1,4 +1,5 @@ +-/* $OpenBSD: scp.c,v 1.261 2024/06/26 23:14:14 deraadt Exp $ */ ++ ++/* $OpenBSD: scp.c,v 1.273 2026/04/02 07:42:16 djm Exp $ */ + /* + * scp - secure remote copy. This is basically patched BSD rcp which + * uses ssh to do the data transfer (instead of using rcmd). +@@ -1684,8 +1685,10 @@ sink(int argc, char **argv, const char *src) + + setimes = targisdir = 0; + mask = umask(0); +- if (!pflag) ++ if (!pflag) { ++ mask |= 07000; + (void) umask(mask); ++ } + if (argc != 1) { + run_err("ambiguous target"); + exit(1); +-- +2.45.4 + diff --git a/SPECS/openssh/CVE-2026-35386.patch b/SPECS/openssh/CVE-2026-35386.patch new file mode 100644 index 00000000000..abaf078f24d --- /dev/null +++ b/SPECS/openssh/CVE-2026-35386.patch @@ -0,0 +1,43 @@ +From 780ad8801fd285719402dc0f0900bad39f442128 Mon Sep 17 00:00:00 2001 +From: AllSpark +Date: Mon, 6 Apr 2026 08:23:22 +0000 +Subject: [PATCH] =?UTF-8?q?upstream:=20move=20username=20validity=20check?= + =?UTF-8?q?=20earlier=20in=20main()=20to=20ensure=20commandline-specified?= + =?UTF-8?q?=20usernames=20are=20validated=20before=20use=20in=20%token=20e?= + =?UTF-8?q?xpansion=20during=20config=20parsing;=20also=20check=20hostname?= + =?UTF-8?q?.=20Reported=20by=20Florian=20Kohnh=C3=A4user.=20OpenBSD-Commit?= + =?UTF-8?q?-ID:=2025ef72223f5ccf1c38d307ae77c23c03f59acc55?= +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Signed-off-by: Azure Linux Security Servicing Account +Upstream-reference: AI Backport of https://github.com/openssh/openssh-portable/commit/76685c9b09a66435cd2ad8373246adf1c53976d3.patch +--- + ssh.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/ssh.c b/ssh.c +index 182c7c3..e6e2314 100644 +--- a/ssh.c ++++ b/ssh.c +@@ -1155,10 +1155,14 @@ main(int ac, char **av) + if (!host) + usage(); + +- if (!valid_hostname(host)) +- fatal("hostname contains invalid characters"); ++ /* ++ * Validate commandline-specified values that end up in %tokens ++ * before they are used in config parsing. ++ */ + if (options.user != NULL && !valid_ruser(options.user)) + fatal("remote username contains invalid characters"); ++ if (!valid_hostname(host)) ++ fatal("hostname contains invalid characters"); + options.host_arg = xstrdup(host); + + /* Initialize the command to execute on remote host. */ +-- +2.45.4 + diff --git a/SPECS/openssh/CVE-2026-35388.patch b/SPECS/openssh/CVE-2026-35388.patch new file mode 100644 index 00000000000..88146c44f23 --- /dev/null +++ b/SPECS/openssh/CVE-2026-35388.patch @@ -0,0 +1,38 @@ +From d2d8e7ab24708fa3a44ac35c01bb537707dff72f Mon Sep 17 00:00:00 2001 +From: AllSpark +Date: Mon, 6 Apr 2026 08:24:13 +0000 +Subject: [PATCH] upstream: add missing askpass check for + ControlMaster=ask/autoask in mux proxy request (ssh -O proxy). Reported by + Michalis Vasileiadis. + +Signed-off-by: Azure Linux Security Servicing Account +Upstream-reference: AI Backport of https://github.com/openssh/openssh-portable/commit/c805b97b67c774e0bf922ffb29dfbcda9d7b5add.patch +--- + mux.c | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +diff --git a/mux.c b/mux.c +index d598a17..c0f4ff0 100644 +--- a/mux.c ++++ b/mux.c +@@ -1137,6 +1137,17 @@ mux_master_process_proxy(struct ssh *ssh, u_int rid, + + debug_f("channel %d: proxy request", c->self); + ++ ++ if (options.control_master == SSHCTL_MASTER_ASK || ++ options.control_master == SSHCTL_MASTER_AUTO_ASK) { ++ if (!ask_permission("Allow multiplex proxy connection?")) { ++ debug2_f("proxy refused by user"); ++ reply_error(reply, MUX_S_PERMISSION_DENIED, rid, ++ "Permission denied"); ++ return 0; ++ } ++ } ++ + c->mux_rcb = channel_proxy_downstream; + if ((r = sshbuf_put_u32(reply, MUX_S_PROXY)) != 0 || + (r = sshbuf_put_u32(reply, rid)) != 0) +-- +2.45.4 + diff --git a/SPECS/openssh/openssh.spec b/SPECS/openssh/openssh.spec index 2a29bf14bf6..5fb163fbc0e 100644 --- a/SPECS/openssh/openssh.spec +++ b/SPECS/openssh/openssh.spec @@ -3,7 +3,7 @@ Summary: Free version of the SSH connectivity tools Name: openssh Version: %{openssh_ver} -Release: 5%{?dist} +Release: 6%{?dist} License: BSD Vendor: Microsoft Corporation Distribution: Azure Linux @@ -42,6 +42,9 @@ Patch403: CVE-2025-61985.patch # The tests fail with the following error: # dlsym(sk_api_version) failed: (...)/sk-dummy.so: undefined symbol: sk_api_version Patch965: openssh-8.2p1-visibility.patch +Patch966: CVE-2026-35385.patch +Patch967: CVE-2026-35386.patch +Patch968: CVE-2026-35388.patch BuildRequires: audit-devel BuildRequires: autoconf @@ -103,6 +106,9 @@ The module is most useful for su and sudo service stacks. %prep %setup -q -a 3 +%patch 966 -p1 +%patch 967 -p1 +%patch 968 -p1 pushd pam_ssh_agent_auth-%{pam_ssh_agent_ver} %patch -P 300 -p2 -b .psaa-build @@ -279,6 +285,9 @@ fi %{_mandir}/man8/ssh-sk-helper.8.gz %changelog +* Mon Apr 06 2026 Azure Linux Security Servicing Account - 9.8p1-6 +- Patch CVE-2026-35385, CVE-2026-35386, CVE-2026-35388 + * Tue Oct 07 2025 Azure Linux Security Servicing Account - 9.8p1-5 - Patch CVE-2025-61985, CVE-2025-61984