Updated openssh packages fix security vulnerabilities
Publication date: 10 Jun 2026Modification date: 10 Jun 2026
Type: security
Affected Mageia releases : 9
CVE: CVE-2026-35385 , CVE-2026-35386 , CVE-2026-35387 , CVE-2026-35388 , CVE-2026-35414
Description
In OpenSSH before 10.3, a file downloaded by scp may be installed setuid
or setgid, an outcome contrary to some users' expectations, if the
download is performed as root with -O (legacy scp protocol) and without
-p (preserve mode). (CVE-2026-35385)
In OpenSSH before 10.3, command execution can occur via shell
metacharacters in a username within a command line. This requires a
scenario where the username on the command line is untrusted, and also
requires a non-default configurations of % in ssh_config.
(CVE-2026-35386)
OpenSSH before 10.3 can use unintended ECDSA algorithms. Listing of any
ECDSA algorithm in PubkeyAcceptedAlgorithms or
HostbasedAcceptedAlgorithms is misinterpreted to mean all ECDSA
algorithms. (CVE-2026-35387)
OpenSSH before 10.3 omits connection multiplexing confirmation for
proxy-mode multiplexing sessions. (CVE-2026-35388)
OpenSSH before 10.3 mishandles the authorized_keys principals option in
uncommon scenarios involving a principals list in conjunction with a
Certificate Authority that makes certain use of comma characters.
(CVE-2026-35414)
References
- https://bugs.mageia.org/show_bug.cgi?id=35432
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UTBNRP3YCILEN5YUGOHA6V6DOMMOBMBJ/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5G3QGTIHCK3F2NLJBFVZ56PCJ7RIYKLO/
- https://ubuntu.com/security/notices/USN-8222-1
- https://www.cve.org/CVERecord?id=CVE-2026-35385
- https://www.cve.org/CVERecord?id=CVE-2026-35386
- https://www.cve.org/CVERecord?id=CVE-2026-35387
- https://www.cve.org/CVERecord?id=CVE-2026-35388
- https://www.cve.org/CVERecord?id=CVE-2026-35414
SRPMS
9/core
- openssh-9.3p1-2.7.mga9