From d0ca366ec27a713b70a6aaa48378a0ae7cf94832 Mon Sep 17 00:00:00 2001
From: Zoltan Fridrich <zfridric@redhat.com>
Date: Mon, 13 Apr 2026 16:05:06 +0200
Subject: [PATCH] Fix CVE-2026-35388

Add connection multiplexing confirmation for proxy-mode
multiplexing sessions

Resolves: RHEL-166240

Signed-off-by: Zoltan Fridrich <zfridric@redhat.com>
---
 openssh-8.0p1-mux-askpass-check.patch | 20 ++++++++++++++++++++
 openssh.spec                          |  6 ++++++
 2 files changed, 26 insertions(+)
 create mode 100644 openssh-8.0p1-mux-askpass-check.patch

diff --git a/openssh-8.0p1-mux-askpass-check.patch b/openssh-8.0p1-mux-askpass-check.patch
new file mode 100644
index 0000000..ea28144
--- /dev/null
+++ b/openssh-8.0p1-mux-askpass-check.patch
@@ -0,0 +1,20 @@
+diff --color -ruNp a/mux.c b/mux.c
+--- a/mux.c	2026-04-15 12:22:36.533931440 +0200
++++ b/mux.c	2026-04-15 12:24:40.020578991 +0200
+@@ -1133,6 +1133,16 @@ mux_master_process_proxy(struct ssh *ssh
+ 
+ 	debug("%s: channel %d: proxy request", __func__, c->self);
+ 
++	if (options.control_master == SSHCTL_MASTER_ASK ||
++	    options.control_master == SSHCTL_MASTER_AUTO_ASK) {
++		if (!ask_permission("Allow multiplex proxy connection?")) {
++			debug2("%s: proxy refused by user", __func__);
++			reply_error(reply, MUX_S_PERMISSION_DENIED, rid,
++			    "Permission denied");
++			return 0;
++		}
++	}
++
+ 	c->mux_rcb = channel_proxy_downstream;
+ 	if ((r = sshbuf_put_u32(reply, MUX_S_PROXY)) != 0 ||
+ 	    (r = sshbuf_put_u32(reply, rid)) != 0)
diff --git a/openssh.spec b/openssh.spec
index 39de036..28e8a31 100644
--- a/openssh.spec
+++ b/openssh.spec
@@ -302,6 +302,8 @@ Patch1023: openssh-8.0p1-reject-cntrl-chars-in-username.patch
 Patch1024: openssh-8.7p1-reject-null-char-in-url-string.patch
 # upstream 487e8ac146f7d6616f65c125d5edb210519b833a
 Patch1025: openssh-9.9p1-scp-clear-setuid.patch
+# upstream c805b97b67c774e0bf922ffb29dfbcda9d7b5add
+Patch1026: openssh-8.0p1-mux-askpass-check.patch
 
 License: BSD
 Group: Applications/Internet
@@ -554,6 +556,7 @@ popd
 %patch1023 -p1 -b .reject-cntrl-chars-in-username
 %patch1024 -p1 -b .reject-null-char-in-url-string
 %patch1025 -p1 -b .scp-clear-setuid
+%patch1026 -p1 -b .mux-askpass-check
 
 autoreconf
 pushd pam_ssh_agent_auth-%{pam_ssh_agent_ver}
@@ -843,6 +846,9 @@ getent passwd sshd >/dev/null || \
 - CVE-2026-35385: Fix privilege escalation via scp legacy protocol
   when not in preserving file mode
   Resolves: RHEL-164743
+- CVE-2026-35388: Add connection multiplexing confirmation for proxy-mode
+  multiplexing sessions
+  Resolves: RHEL-166240
 
 * Mon Mar 16 2026 Zoltan Fridrich <zfridric@redhat.com> - 8.0p1-28
 - CVE-2026-3497: Fix information disclosure or denial of service due