UbuntuUpdates.org

Package "openssh"

Name: openssh

Description:

This package is just an umbrella for a group of other packages, it has no description.
Description samples from packages in group:

  • secure shell (SSH) client, with GSS-API support
  • secure shell (SSH) server, with GSS-API key exchange
  • OpenSSH regression tests
  • interactive X program to prompt users for a passphrase for ssh-add
Latest version: 1:10.2p1-2ubuntu3.2
Release: resolute (26.04)
Level: security
Repository: universe

Links

All versions of this package
Bug fixes

List of files in package
Repository home page

Other versions of "openssh" in Resolute

Repository Area Version
base main 1:10.2p1-2ubuntu3
base universe 1:10.2p1-2ubuntu3
security main 1:10.2p1-2ubuntu3.2

Packages in group

Deleted packages are displayed in grey.


Changelog

Version: 1:10.2p1-2ubuntu3.2 2026-04-29 13:08:18 UTC

  openssh (1:10.2p1-2ubuntu3.2) resolute-security; urgency=medium

  * SECURITY UPDATE: unexpected scp setuid and setgid
    - debian/patches/CVE-2026-35385.patch: clear setuid/setgid bits from
      downloaded files in scp.c.
    - CVE-2026-35385
  * SECURITY UPDATE: command execution via shell metacharacters in username
    - debian/patches/CVE-2026-35386-pre1.patch: apply validity rules on
      ProxyJump usernames and hostnames in readconf.c, readconf.h, ssh.c.
    - debian/patches/CVE-2026-35386.patch: move username check earlier in
      ssh.c.
    - debian/patches/CVE-2026-35386-2.patch: adapt to username validity
      check change in regress/percent.sh.
    - CVE-2026-35386
  * SECURITY UPDATE: use of unintended ECDSA algorithms
    - debian/patches/CVE-2026-35387_35414.patch: correctly match ECDSA
      signature algorithms against algorithm allowlists in
      auth2-hostbased.c, auth2-pubkey.c, sshconnect2.c.
    - CVE-2026-35387
  * SECURITY UPDATE: missing connection multiplexing confirmation
    - debian/patches/CVE-2026-35388.patch: add missing askpass check in
      mux.c.
    - CVE-2026-35388
  * SECURITY UPDATE: authorized_keys principals option mishandling
    - debian/patches/CVE-2026-35387_35414.patch: check for commas in
      auth2-pubkeyfile.c.
    - CVE-2026-35414

 -- Marc Deslauriers <email address hidden> Mon, 27 Apr 2026 20:15:40 -0400
CVE-2026-35385 In OpenSSH before 10.3, a file downloaded by scp may be installed setuid or setgid, an outcome contrary to some users' expectations, if the download
CVE-2026-35386 In OpenSSH before 10.3, command execution can occur via shell metacharacters in a username within a command line. This requires a scenario where the
CVE-2026-35387 OpenSSH before 10.3 can use unintended ECDSA algorithms. Listing of any ECDSA algorithm in PubkeyAcceptedAlgorithms or HostbasedAcceptedAlgorithms is
CVE-2026-35388 OpenSSH before 10.3 omits connection multiplexing confirmation for proxy-mode multiplexing sessions.
CVE-2026-35414 OpenSSH before 10.3 mishandles the authorized_keys principals option in uncommon scenarios involving a principals list in conjunction with a Certific


About   -   Send Feedback to @ubuntu_updates