microsoft · jslobodzian · Apr 10, 2026 · Apr 6, 2026 · Apr 7, 2026 · Apr 7, 2026
@@ -0,0 +1,39 @@
+From b49e0d724dc1d934a29bc2ef5d09914a8ea989e0 Mon Sep 17 00:00:00 2001
+From: AllSpark <allspark@microsoft.com>
+Date: Mon, 6 Apr 2026 08:28:45 +0000
+Subject: [PATCH] upstream: when downloading files as root in legacy (-O) mode
+ and without the -p flag, clear setuid/setgid bits from downloaded files;
+ update RCSID
+
+Signed-off-by: Azure Linux Security Servicing Account <azurelinux-security@microsoft.com>
+Upstream-reference: AI Backport of https://github.com/openssh/openssh-portable/commit/487e8ac146f7d6616f65c125d5edb210519b833a.patch
+---
+ scp.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/scp.c b/scp.c
+index 0779c3c..18d3fd9 100644
+--- a/scp.c
++++ b/scp.c
+@@ -1,4 +1,5 @@
+-/* $OpenBSD: scp.c,v 1.261 2024/06/26 23:14:14 deraadt Exp $ */
++
++/* $OpenBSD: scp.c,v 1.273 2026/04/02 07:42:16 djm Exp $ */
+ /*
+  * scp - secure remote copy.  This is basically patched BSD rcp which
+  * uses ssh to do the data transfer (instead of using rcmd).
+@@ -1684,8 +1685,10 @@ sink(int argc, char **argv, const char *src)
+
+ 	setimes = targisdir = 0;
+ 	mask = umask(0);
+-	if (!pflag)
++	if (!pflag) {
++		mask |= 07000;
+ 		(void) umask(mask);
++	}
+ 	if (argc != 1) {
+ 		run_err("ambiguous target");
+ 		exit(1);
+-- 
+2.45.4
+
@@ -0,0 +1,43 @@
+From 780ad8801fd285719402dc0f0900bad39f442128 Mon Sep 17 00:00:00 2001
+From: AllSpark <allspark@microsoft.com>
+Date: Mon, 6 Apr 2026 08:23:22 +0000
+Subject: [PATCH] =?UTF-8?q?upstream:=20move=20username=20validity=20check?=
+ =?UTF-8?q?=20earlier=20in=20main()=20to=20ensure=20commandline-specified?=
+ =?UTF-8?q?=20usernames=20are=20validated=20before=20use=20in=20%token=20e?=
+ =?UTF-8?q?xpansion=20during=20config=20parsing;=20also=20check=20hostname?=
+ =?UTF-8?q?.=20Reported=20by=20Florian=20Kohnh=C3=A4user.=20OpenBSD-Commit?=
+ =?UTF-8?q?-ID:=2025ef72223f5ccf1c38d307ae77c23c03f59acc55?=
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Signed-off-by: Azure Linux Security Servicing Account <azurelinux-security@microsoft.com>
+Upstream-reference: AI Backport of https://github.com/openssh/openssh-portable/commit/76685c9b09a66435cd2ad8373246adf1c53976d3.patch
+---
+ ssh.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/ssh.c b/ssh.c
+index 182c7c3..e6e2314 100644
+--- a/ssh.c
++++ b/ssh.c
+@@ -1155,10 +1155,14 @@ main(int ac, char **av)
+ 	if (!host)
+ 		usage();
+
+-	if (!valid_hostname(host))
+-		fatal("hostname contains invalid characters");
++	/*
++	 * Validate commandline-specified values that end up in %tokens
++	 * before they are used in config parsing.
++	 */
+ 	if (options.user != NULL && !valid_ruser(options.user))
+ 		fatal("remote username contains invalid characters");
++	if (!valid_hostname(host))
++		fatal("hostname contains invalid characters");
+ 	options.host_arg = xstrdup(host);
+
+ 	/* Initialize the command to execute on remote host. */
+-- 
+2.45.4
+
@@ -0,0 +1,38 @@
+From d2d8e7ab24708fa3a44ac35c01bb537707dff72f Mon Sep 17 00:00:00 2001
+From: AllSpark <allspark@microsoft.com>
+Date: Mon, 6 Apr 2026 08:24:13 +0000
+Subject: [PATCH] upstream: add missing askpass check for
+ ControlMaster=ask/autoask in mux proxy request (ssh -O proxy). Reported by
+ Michalis Vasileiadis.
+
+Signed-off-by: Azure Linux Security Servicing Account <azurelinux-security@microsoft.com>
+Upstream-reference: AI Backport of https://github.com/openssh/openssh-portable/commit/c805b97b67c774e0bf922ffb29dfbcda9d7b5add.patch
+---
+ mux.c | 11 +++++++++++
+ 1 file changed, 11 insertions(+)
+
+diff --git a/mux.c b/mux.c
+index d598a17..c0f4ff0 100644
+--- a/mux.c
++++ b/mux.c
+@@ -1137,6 +1137,17 @@ mux_master_process_proxy(struct ssh *ssh, u_int rid,
+
+ 	debug_f("channel %d: proxy request", c->self);
+
++
++	if (options.control_master == SSHCTL_MASTER_ASK ||
++	    options.control_master == SSHCTL_MASTER_AUTO_ASK) {
++		if (!ask_permission("Allow multiplex proxy connection?")) {
++			debug2_f("proxy refused by user");
++			reply_error(reply, MUX_S_PERMISSION_DENIED, rid,
++			    "Permission denied");
++			return 0;
++		}
++	}
++
+ 	c->mux_rcb = channel_proxy_downstream;
+ 	if ((r = sshbuf_put_u32(reply, MUX_S_PROXY)) != 0 ||
+ 	    (r = sshbuf_put_u32(reply, rid)) != 0)
+-- 
+2.45.4
+
@@ -3,7 +3,7 @@
 Summary:        Free version of the SSH connectivity tools
 Name:           openssh
 Version:        %{openssh_ver}
-Release:        5%{?dist}
+Release:        6%{?dist}
 License:        BSD
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
@@ -42,6 +42,9 @@ Patch403:       CVE-2025-61985.patch
 # The tests fail with the following error:
 #   dlsym(sk_api_version) failed: (...)/sk-dummy.so: undefined symbol: sk_api_version
 Patch965: openssh-8.2p1-visibility.patch
+Patch966: CVE-2026-35385.patch
+Patch967: CVE-2026-35386.patch
+Patch968: CVE-2026-35388.patch
 
 BuildRequires:  audit-devel
 BuildRequires:  autoconf
@@ -103,6 +106,9 @@ The module is most useful for su and sudo service stacks.
 
 %prep
 %setup -q -a 3
+%patch 966 -p1
+%patch 967 -p1
+%patch 968 -p1
 
 pushd pam_ssh_agent_auth-%{pam_ssh_agent_ver}
 %patch -P 300 -p2 -b .psaa-build
@@ -279,6 +285,9 @@ fi
 %{_mandir}/man8/ssh-sk-helper.8.gz
 
 %changelog
+* Mon Apr 06 2026 Azure Linux Security Servicing Account <azurelinux-security@microsoft.com> - 9.8p1-6
+- Patch CVE-2026-35385, CVE-2026-35386, CVE-2026-35388
+
 * Tue Oct 07 2025 Azure Linux Security Servicing Account <azurelinux-security@microsoft.com> - 9.8p1-5
 - Patch CVE-2025-61985, CVE-2025-61984