rpms/openssh
7
0
Fork 2
Code Issues Pull Requests Releases Activity

Fix CVE-2026-35388

Browse Source 
Add connection multiplexing confirmation for proxy-mode
multiplexing sessions

Resolves: RHEL-166240

Signed-off-by: Zoltan Fridrich <zfridric@redhat.com>
This commit is contained in:
Zoltan Fridrich 2026-04-13 16:05:06 +02:00
parent 88a5a3fe2b
commit d0ca366ec2
2 changed files with 26 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

20
openssh-8.0p1-mux-askpass-check.patch Normal file
View File

@ -0,0 +1,20 @@
diff --color -ruNp a/mux.c b/mux.c
--- a/mux.c 2026-04-15 12:22:36.533931440 +0200
+++ b/mux.c 2026-04-15 12:24:40.020578991 +0200
@@ -1133,6 +1133,16 @@ mux_master_process_proxy(struct ssh *ssh
debug("%s: channel %d: proxy request", __func__, c->self);
+ if (options.control_master == SSHCTL_MASTER_ASK ||
+ options.control_master == SSHCTL_MASTER_AUTO_ASK) {
+ if (!ask_permission("Allow multiplex proxy connection?")) {
+ debug2("%s: proxy refused by user", __func__);
+ reply_error(reply, MUX_S_PERMISSION_DENIED, rid,
+ "Permission denied");
+ return 0;
+ }
+ }
+
c->mux_rcb = channel_proxy_downstream;
if ((r = sshbuf_put_u32(reply, MUX_S_PROXY)) != 0 ||
(r = sshbuf_put_u32(reply, rid)) != 0)

6
openssh.spec
View File

@ -302,6 +302,8 @@ Patch1023: openssh-8.0p1-reject-cntrl-chars-in-username.patch
Patch1024: openssh-8.7p1-reject-null-char-in-url-string.patch
# upstream 487e8ac146f7d6616f65c125d5edb210519b833a
Patch1025: openssh-9.9p1-scp-clear-setuid.patch
# upstream c805b97b67c774e0bf922ffb29dfbcda9d7b5add
Patch1026: openssh-8.0p1-mux-askpass-check.patch
License: BSD
Group: Applications/Internet
@ -554,6 +556,7 @@ popd
%patch1023 -p1 -b .reject-cntrl-chars-in-username
%patch1024 -p1 -b .reject-null-char-in-url-string
%patch1025 -p1 -b .scp-clear-setuid
%patch1026 -p1 -b .mux-askpass-check
autoreconf
pushd pam_ssh_agent_auth-%{pam_ssh_agent_ver}
@ -843,6 +846,9 @@ getent passwd sshd >/dev/null || \
- CVE-2026-35385: Fix privilege escalation via scp legacy protocol
when not in preserving file mode
Resolves: RHEL-164743
- CVE-2026-35388: Add connection multiplexing confirmation for proxy-mode
multiplexing sessions
Resolves: RHEL-166240
* Mon Mar 16 2026 Zoltan Fridrich <zfridric@redhat.com> - 8.0p1-28
- CVE-2026-3497: Fix information disclosure or denial of service due