[security][HIGH] openssh 9.9p2: 3 CVE require triage #1

New issue

Open

opened 2026-04-29 04:38:20 +03:00 by sbelikov · 0 comments

sbelikov commented

2026-04-29 04:38:20 +03:00

Owner

CVE triage request / Запрос на разбор CVE

Package / Пакет

Package: openssh
Version: 9.9p2
EVR: 9.9p2-2
Category: security
Policy class: security-critical
NiceOS policy class: -
Owner: security-team
Severity: HIGH
Max CVSS: 8.1
CVE count: 3

LLM recommendation / Рекомендация LLM

RU

Обнаружены три кандидата на уязвимости (CVE-2026-35385, CVE-2026-35386, CVE-2026-35414) в пакете openssh версии 9.9p2. Все уязвимости связаны с версиями OpenSSH до 10.3 и имеют высокую степень опасности (CVSS 8.1).

Необходимо провести детальный анализ (triage) для подтверждения применимости уязвимостей к текущей конфигурации НАЙС.ОС. Учитывая критичность пакета и высокий CVSS, рекомендуется запланировать обновление пакета до версии 10.3 или выше, если патч не может быть скомпилирован локально.

Рекомендуемое действие: needs_triage

Подсказка по целевой версии: 10.3

Проверки: 1. Проверить текущую версию openssh через rpm -q openssh.
2. Проверить наличие уязвимых сценариев: попытка scp с root и флагом -O без -p.
3. Проверить конфигурацию ssh_config на наличие нестандартных настроек символа %.
4. Проверить использование опции principals в authorized_keys с CA, содержащими запятые.

Риски: Возможность установки файлов с правами setuid/setgid через scp, выполнение команд через метасимволы в имени пользователя и неправильная обработка опции principals в authorized_keys, что может привести к компрометации учетных записей и привилегий.

EN

Three CVE candidates (CVE-2026-35385, CVE-2026-35386, CVE-2026-35414) detected in openssh package version 9.9p2. All vulnerabilities relate to OpenSSH versions prior to 10.3 and carry a high severity rating (CVSS 8.1).

Detailed triage is required to confirm applicability to the current NAYOS configuration. Given the critical nature of the package and high CVSS score, it is recommended to schedule an update to version 10.3 or higher if a local backport is not feasible.

Recommended action: needs_triage

Target version hint: 10.3

Tests: 1. Verify current openssh version via rpm -q openssh.
2. Verify vulnerable scenarios: attempt scp as root with -O flag without -p.
3. Check ssh_config for non-default % character settings.
4. Check authorized_keys principals option usage with CA containing commas.

Risks: Potential installation of files with setuid/setgid permissions via scp, command execution via shell metacharacters in usernames, and mishandling of the principals option in authorized_keys, which could lead to account compromise and privilege escalation.

CVE candidates from NVD/CPE

CVE	Severity	CVSS	Match	NiceOS status	Reason
CVE-2026-35385	HIGH	8.1	cpe-range	needs_triage	package version is inside version range
CVE-2026-35386	HIGH	8.1	cpe-range	needs_triage	package version is inside version range
CVE-2026-35414	HIGH	8.1	cpe-range	needs_triage	package version is inside version range

Descriptions

CVE-2026-35385

In OpenSSH before 10.3, a file downloaded by scp may be installed setuid or setgid, an outcome contrary to some users' expectations, if the download is performed as root with -O (legacy scp protocol) and without -p (preserve mode).

CVE-2026-35386

In OpenSSH before 10.3, command execution can occur via shell metacharacters in a username within a command line. This requires a scenario where the username on the command line is untrusted, and also requires a non-default configurations of % in ssh_config.

CVE-2026-35414

OpenSSH before 10.3 mishandles the authorized_keys principals option in uncommon scenarios involving a principals list in conjunction with a Certificate Authority that makes certain use of comma characters.

Maintainer checklist

Verify whether each CVE applies to the NiceOS build.
Compare NVD data with upstream/vendor advisory.
Set final NiceOS status: affected, fixed, not_affected, false_positive, deferred, or not_in_cloud_image.
If affected, decide update/backport strategy according to package policy class.
Run package-class-specific build, upgrade and regression tests.
Add/update niceos_cve_triage entry.
Create NICE-SA advisory if a security update is shipped.

Machine metadata

{
  "cves": [
    "CVE-2026-35385",
    "CVE-2026-35386",
    "CVE-2026-35414"
  ],
  "fingerprint": "2ffb6a14bfa0dbcda19d",
  "generated_at": "2026-04-29T01:38:20Z",
  "package": "openssh",
  "prompt_version": "niceos_cve_issue_analysis_v1",
  "tool": "niceos_cve_create_issues.py",
  "tool_version": "1.0",
  "version": "9.9p2"
}

# CVE triage request / Запрос на разбор CVE ## Package / Пакет - Package: `openssh` - Version: `9.9p2` - EVR: `9.9p2-2` - Category: `security` - Policy class: `security-critical` - NiceOS policy class: `-` - Owner: `security-team` - Severity: `HIGH` - Max CVSS: `8.1` - CVE count: `3` ## LLM recommendation / Рекомендация LLM ### RU Обнаружены три кандидата на уязвимости (CVE-2026-35385, CVE-2026-35386, CVE-2026-35414) в пакете openssh версии 9.9p2. Все уязвимости связаны с версиями OpenSSH до 10.3 и имеют высокую степень опасности (CVSS 8.1). Необходимо провести детальный анализ (triage) для подтверждения применимости уязвимостей к текущей конфигурации НАЙС.ОС. Учитывая критичность пакета и высокий CVSS, рекомендуется запланировать обновление пакета до версии 10.3 или выше, если патч не может быть скомпилирован локально. **Рекомендуемое действие:** `needs_triage` **Подсказка по целевой версии:** `10.3` **Проверки:** 1. Проверить текущую версию openssh через rpm -q openssh. 2. Проверить наличие уязвимых сценариев: попытка scp с root и флагом -O без -p. 3. Проверить конфигурацию ssh_config на наличие нестандартных настроек символа %. 4. Проверить использование опции principals в authorized_keys с CA, содержащими запятые. **Риски:** Возможность установки файлов с правами setuid/setgid через scp, выполнение команд через метасимволы в имени пользователя и неправильная обработка опции principals в authorized_keys, что может привести к компрометации учетных записей и привилегий. ### EN Three CVE candidates (CVE-2026-35385, CVE-2026-35386, CVE-2026-35414) detected in openssh package version 9.9p2. All vulnerabilities relate to OpenSSH versions prior to 10.3 and carry a high severity rating (CVSS 8.1). Detailed triage is required to confirm applicability to the current NAYOS configuration. Given the critical nature of the package and high CVSS score, it is recommended to schedule an update to version 10.3 or higher if a local backport is not feasible. **Recommended action:** `needs_triage` **Target version hint:** `10.3` **Tests:** 1. Verify current openssh version via rpm -q openssh. 2. Verify vulnerable scenarios: attempt scp as root with -O flag without -p. 3. Check ssh_config for non-default % character settings. 4. Check authorized_keys principals option usage with CA containing commas. **Risks:** Potential installation of files with setuid/setgid permissions via scp, command execution via shell metacharacters in usernames, and mishandling of the principals option in authorized_keys, which could lead to account compromise and privilege escalation. ## CVE candidates from NVD/CPE | CVE | Severity | CVSS | Match | NiceOS status | Reason | |---|---|---:|---|---|---| | CVE-2026-35385 | HIGH | 8.1 | cpe-range | needs_triage | package version is inside version range | | CVE-2026-35386 | HIGH | 8.1 | cpe-range | needs_triage | package version is inside version range | | CVE-2026-35414 | HIGH | 8.1 | cpe-range | needs_triage | package version is inside version range | ## Descriptions ### CVE-2026-35385 In OpenSSH before 10.3, a file downloaded by scp may be installed setuid or setgid, an outcome contrary to some users' expectations, if the download is performed as root with -O (legacy scp protocol) and without -p (preserve mode). ### CVE-2026-35386 In OpenSSH before 10.3, command execution can occur via shell metacharacters in a username within a command line. This requires a scenario where the username on the command line is untrusted, and also requires a non-default configurations of % in ssh_config. ### CVE-2026-35414 OpenSSH before 10.3 mishandles the authorized_keys principals option in uncommon scenarios involving a principals list in conjunction with a Certificate Authority that makes certain use of comma characters. ## Maintainer checklist - [ ] Verify whether each CVE applies to the NiceOS build. - [ ] Compare NVD data with upstream/vendor advisory. - [ ] Set final NiceOS status: `affected`, `fixed`, `not_affected`, `false_positive`, `deferred`, or `not_in_cloud_image`. - [ ] If affected, decide update/backport strategy according to package policy class. - [ ] Run package-class-specific build, upgrade and regression tests. - [ ] Add/update `niceos_cve_triage` entry. - [ ] Create `NICE-SA` advisory if a security update is shipped. ## Machine metadata ```json { "cves": [ "CVE-2026-35385", "CVE-2026-35386", "CVE-2026-35414" ], "fingerprint": "2ffb6a14bfa0dbcda19d", "generated_at": "2026-04-29T01:38:20Z", "package": "openssh", "prompt_version": "niceos_cve_issue_analysis_v1", "tool": "niceos_cve_create_issues.py", "tool_version": "1.0", "version": "9.9p2" } ```

sbelikov added the

labels

2026-04-29 04:38:20 +03:00