rpms/openssh
7
0
Fork 2
Code Issues Pull Requests Releases Activity

Fix CVE-2026-35388

Browse Source 
Add connection multiplexing confirmation for proxy-mode
multiplexing sessions

Resolves: RHEL-166251

Signed-off-by: Zoltan Fridrich <zfridric@redhat.com>
This commit is contained in:
Zoltan Fridrich 2026-04-14 10:39:41 +02:00
parent fe1ca1cded
commit 543ad4010f
2 changed files with 26 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

20
openssh-9.9p1-mux-askpass-check.patch Normal file
View File

@ -0,0 +1,20 @@
diff --color -ruNp a/mux.c b/mux.c
--- a/mux.c 2024-09-20 00:20:48.000000000 +0200
+++ b/mux.c 2026-04-09 15:02:36.016198814 +0200
@@ -1137,6 +1137,16 @@ mux_master_process_proxy(struct ssh *ssh
debug_f("channel %d: proxy request", c->self);
+ if (options.control_master == SSHCTL_MASTER_ASK ||
+ options.control_master == SSHCTL_MASTER_AUTO_ASK) {
+ if (!ask_permission("Allow multiplex proxy connection?")) {
+ debug2_f("proxy refused by user");
+ reply_error(reply, MUX_S_PERMISSION_DENIED, rid,
+ "Permission denied");
+ return 0;
+ }
+ }
+
c->mux_rcb = channel_proxy_downstream;
if ((r = sshbuf_put_u32(reply, MUX_S_PROXY)) != 0 ||
(r = sshbuf_put_u32(reply, rid)) != 0)

6
openssh.spec
View File

@ -251,6 +251,8 @@ Patch1039: openssh-9.9p1-compat-mlkem.patch
Patch1040: openssh-9.9p1-fill-default-options-error.patch
# upstream 487e8ac146f7d6616f65c125d5edb210519b833a
Patch1041: openssh-9.9p1-scp-clear-setuid.patch
# upstream c805b97b67c774e0bf922ffb29dfbcda9d7b5add
Patch1042: openssh-9.9p1-mux-askpass-check.patch
License: BSD
Requires: /sbin/nologin
@ -466,6 +468,7 @@ popd
%patch1039 -p1 -b .skip-mlkem-when-na
%patch1040 -p1 -b .fill-default-options-error
%patch1041 -p1 -b .scp-clear-setuid
%patch1042 -p1 -b .mux-askpass-check
%patch100 -p1 -b .coverity
@ -764,6 +767,9 @@ test -f %{sysconfig_anaconda} && \
- CVE-2026-35385: Fix privilege escalation via scp legacy protocol
when not in preserving file mode
Resolves: RHEL-164754
- CVE-2026-35388: Add connection multiplexing confirmation for proxy-mode
multiplexing sessions
Resolves: RHEL-166251
* Thu Mar 26 2026 Zoltan Fridrich <zfridric@redhat.com> - 9.9p1-7 + 0.10.4-9
- Version bump