The openssh commit fd1c7e131f331942d20f42f31e79912d570081fa fixes 2 CVEs:
CVE-2026-35414 and CVE-2026-35387.

CVE-2026-35414:
| OpenSSH before 10.3 mishandles the authorized_keys principals option
| in uncommon scenarios involving a principals list in conjunction
| with a Certificate Authority that makes certain use of comma
| characters.

The match_principals_option() function is fixed. Before this fix:
When matching an authorized_keys principals="" option against a list of
principals in a certificate, an incorrect algorithm was used that could
allow inappropriate matching in cases where a principal name in the
certificate contains a comma character. Exploitation of the condition
requires an authorized_keys principals="" option that lists more than
one principal *and* a CA that will issue a certificate that encodes more
than one of these principal names separated by a comma (typical CAs
strongly constrain which principal names they will place in a
certificate). This condition only applies to user- trusted CA keys in
authorized_keys, the main certificate authentication path
(TrustedUserCAKeys/AuthorizedPrincipalsFile) is not affected.

CVE-2026-35387:
| OpenSSH before 10.3 can use unintended ECDSA algorithms. Listing of
| any ECDSA algorithm in PubkeyAcceptedAlgorithms or
| HostbasedAcceptedAlgorithms is misinterpreted to mean all ECDSA
| algorithms.

The rest of the patch allows to correctly match ECDSA signature algorithms
against algorithm allowlists.

The full explanation can be found on debian repository:
https://salsa.debian.org/ssh-team/openssh/-/commit/ae190b6440b7c599d759527965334eeb49cc75b3

Signed-off-by: Benjamin Robin (Schneider Electric) <[email protected]>
---
Changes in v2:
- Update commit message to clarify why the patch is fixing 2 CVEs
- Link to v1: 
https://patch.msgid.link/[email protected]
---
 .../{CVE-2026-35387.patch => CVE-2026-35414-CVE-2026-35387.patch}       | 2 +-
 meta/recipes-connectivity/openssh/openssh_9.6p1.bb                      | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/meta/recipes-connectivity/openssh/openssh/CVE-2026-35387.patch 
b/meta/recipes-connectivity/openssh/openssh/CVE-2026-35414-CVE-2026-35387.patch
similarity index 99%
rename from meta/recipes-connectivity/openssh/openssh/CVE-2026-35387.patch
rename to 
meta/recipes-connectivity/openssh/openssh/CVE-2026-35414-CVE-2026-35387.patch
index c4806bd9935c..4839d76fa808 100644
--- a/meta/recipes-connectivity/openssh/openssh/CVE-2026-35387.patch
+++ 
b/meta/recipes-connectivity/openssh/openssh/CVE-2026-35414-CVE-2026-35387.patch
@@ -14,7 +14,7 @@ Reported by Christos Papakonstantinou of Cantina and Spearbit.
 
 OpenBSD-Commit-ID: c790e2687c35989ae34a00e709be935c55b16a86
 
-CVE: CVE-2026-35387
+CVE: CVE-2026-35414 CVE-2026-35387
 Upstream-Status: Backport 
[https://github.com/openssh/openssh-portable/commit/fd1c7e131f331942d20f42f31e79912d570081fa]
 Signed-off-by: Theo Gaige (Schneider Electric) <[email protected]>
 ---
diff --git a/meta/recipes-connectivity/openssh/openssh_9.6p1.bb 
b/meta/recipes-connectivity/openssh/openssh_9.6p1.bb
index ea158b56b419..4193bc8a5b41 100644
--- a/meta/recipes-connectivity/openssh/openssh_9.6p1.bb
+++ b/meta/recipes-connectivity/openssh/openssh_9.6p1.bb
@@ -35,7 +35,7 @@ SRC_URI = 
"http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${PV}.tar
            file://CVE-2025-61985.patch \
            file://CVE-2025-61984_CVE-2026-35386.patch \
            file://CVE-2026-35385.patch \
-           file://CVE-2026-35387.patch \
+           file://CVE-2026-35414-CVE-2026-35387.patch \
            file://CVE-2026-35388.patch \
            "
 SRC_URI[sha256sum] = 
"910211c07255a8c5ad654391b40ee59800710dd8119dd5362de09385aa7a777c"

---
base-commit: 2814f0962f56c8d1afa4de76d2895ba9b5cb767d
change-id: 20260702-openssh-cve-2026-35414-07494753183a

Best regards,
--  
Benjamin Robin (Schneider Electric) <[email protected]>

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#240052): 
https://lists.openembedded.org/g/openembedded-core/message/240052
Mute This Topic: https://lists.openembedded.org/mt/120083136/21656
Group Owner: [email protected]
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[[email protected]]
-=-=-=-=-=-=-=-=-=-=-=-

Reply via email to