Skip to content

fix(openssh): pin-forward to f43 for 8 CVEs#17265

Closed
tobiasb-ms wants to merge 1 commit into
tomls/base/mainfrom
tobiasb-ms/cve-fix-openssh
Closed

fix(openssh): pin-forward to f43 for 8 CVEs#17265
tobiasb-ms wants to merge 1 commit into
tomls/base/mainfrom
tobiasb-ms/cve-fix-openssh

Conversation

@tobiasb-ms
Copy link
Copy Markdown
Contributor

@tobiasb-ms tobiasb-ms commented May 15, 2026

CVE Pin-Forward: openssh

Pins openssh to Fedora f43 HEAD (d5a4300) to pick up
8 CVE patches added upstream.

CVEs Resolved

CVE Severity Status
CVE-2026-35385 High Tracked
CVE-2026-35386 High Tracked
CVE-2026-35414 High Tracked
CVE-2025-61984 Additional
CVE-2025-61985 Additional
CVE-2026-3497 Additional
CVE-2026-35387 Additional
CVE-2026-35388 Additional

Fedora Spec Delta

Old commit: c32475e
New commit: d5a4300

New patches:

  • 0054-openssh-9.9p1-scp-clear-setuid.patch
  • 0055-openssh-9.9p1-mux-askpass-check.patch
  • 0056-openssh-9.9p1-ecdsa-incomplete-application.patch
  • 0057-openssh-9.9p1-authorized-keys-principles-option.patch
  • 0058-openssh-9.9p1-reject-null-char-in-url-string.patch
  • 0059-openssh-10.0p1-reject-cntrl-chars-in-username.patch

@tobiasb-ms
fix(openssh): pin-forward to f43 HEAD for 8 CVEs
9a1cd60 
Pin locks/openssh.lock to Fedora f43 HEAD to pick up
CVE-specific patches added upstream.

CVEs resolved (3 tracked, 5 additional):

  Tracked:
    CVE-2026-35385 (High)
    CVE-2026-35386 (High)
    CVE-2026-35414 (High)

  Additional:
    CVE-2025-61984
    CVE-2025-61985
    CVE-2026-3497
    CVE-2026-35387
    CVE-2026-35388

Fedora f43 spec delta (c32475e..d5a4300):
  + 0054-openssh-9.9p1-scp-clear-setuid.patch
  + 0055-openssh-9.9p1-mux-askpass-check.patch
  + 0056-openssh-9.9p1-ecdsa-incomplete-application.patch
  + 0057-openssh-9.9p1-authorized-keys-principles-option.patch
  + 0058-openssh-9.9p1-reject-null-char-in-url-string.patch
  + 0059-openssh-10.0p1-reject-cntrl-chars-in-username.patch
@tobiasb-ms
Copy link
Copy Markdown
Contributor Author

tobiasb-ms commented May 16, 2026

Closing — retargeting to new branch.

@tobiasb-ms tobiasb-ms closed this May 16, 2026
@tobiasb-ms tobiasb-ms deleted the tobiasb-ms/cve-fix-openssh branch May 16, 2026 21:13
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ddstreetmicrosoft ddstreetmicrosoft Awaiting requested review from ddstreetmicrosoft ddstreetmicrosoft will be requested when the pull request is marked ready for review ddstreetmicrosoft is a code owner

@reubeno reubeno Awaiting requested review from reubeno reubeno will be requested when the pull request is marked ready for review reubeno is a code owner

@christopherco christopherco Awaiting requested review from christopherco christopherco will be requested when the pull request is marked ready for review christopherco is a code owner

Copilot code review Copilot Awaiting requested review from Copilot Copilot will automatically review once the pull request is marked ready for review

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@tobiasb-ms