rpms/openssh
1
0
Fork 0
Code Issues 1 Pull requests Projects Releases Packages Wiki Activity Actions

[security][HIGH] openssh 9.9p2: 4 CVE require triage #3

New issue
Open
opened 2026-05-25 00:46:42 +03:00 by sbelikov · 0 comments
sbelikov commented 2026-05-25 00:46:42 +03:00
Owner
Copy link

CVE triage request / Запрос на разбор CVE

Package / Пакет

  • Package: openssh
  • Version: 9.9p2
  • EVR: 9.9p2-3
  • Category: -
  • Policy class: -
  • NiceOS policy class: -
  • Owner: -
  • Severity: HIGH
  • Max CVSS: 8.1
  • CVE count: 4

LLM recommendation / Рекомендация LLM

RU

Для пакета openssh 9.9p2 найдены CVE-кандидаты по данным NVD/CPE: CVE-2023-51767, CVE-2026-35385, CVE-2026-35386, CVE-2026-35414. Требуется triage security-team.

Проверить применимость CVE к сборке НАЙС.ОС, сопоставить с upstream/vendor advisory, определить статус affected/fixed/not_affected и при необходимости подготовить обновление пакета.

Рекомендуемое действие: needs_triage

Подсказка по целевой версии: -

Проверки: Проверить сборку RPM, обновление пакета, совместимость зависимостей, service/CLI smoke tests и регрессионные сценарии по классу пакета.

Риски: Автоматическое совпадение NVD/CPE не является финальным вердиктом по НАЙС.ОС.

EN

NVD/CPE candidate CVEs were found for openssh 9.9p2: CVE-2023-51767, CVE-2026-35385, CVE-2026-35386, CVE-2026-35414. Security-team triage is required.

Verify CVE applicability to the NiceOS build, compare with upstream/vendor advisories, set affected/fixed/not_affected status, and prepare a package update if required.

Recommended action: needs_triage

Target version hint: -

Tests: Run RPM build, package upgrade, dependency compatibility, service/CLI smoke tests, and package-class-specific regression tests.

Risks: An automatic NVD/CPE match is not the final NiceOS vulnerability verdict.

CVE candidates from NVD/CPE

CVE Severity CVSS Match NiceOS status Reason
CVE-2026-35385 HIGH 8.1 cpe-range needs_triage package version is inside version range
CVE-2026-35386 HIGH 8.1 cpe-range needs_triage package version is inside version range
CVE-2026-35414 HIGH 8.1 cpe-range needs_triage package version is inside version range
CVE-2023-51767 HIGH 7.0 cpe-generic needs_triage generic CPE product match without version range; needs triage

Descriptions

CVE-2026-35385

In OpenSSH before 10.3, a file downloaded by scp may be installed setuid or setgid, an outcome contrary to some users' expectations, if the download is performed as root with -O (legacy scp protocol) and without -p (preserve mode).

CVE-2026-35386

In OpenSSH before 10.3, command execution can occur via shell metacharacters in a username within a command line. This requires a scenario where the username on the command line is untrusted, and also requires a non-default configurations of % in ssh_config.

CVE-2026-35414

OpenSSH before 10.3 mishandles the authorized_keys principals option in uncommon scenarios involving a principals list in conjunction with a Certificate Authority that makes certain use of comma characters.

CVE-2023-51767

OpenSSH through 10.0, when common types of DRAM are used, might allow row hammer attacks (for authentication bypass) because the integer value of authenticated in mm_answer_authpassword does not resist flips of a single bit. NOTE: this is applicable to a certain threat model of attacker-victim co-location in which the attacker has user privileges. NOTE: this is disputed by the Supplier, who states "we do not consider it to be the application's responsibility to defend against platform architectural weaknesses."

Maintainer checklist

  • Verify whether each CVE applies to the NiceOS build.
  • Compare NVD data with upstream/vendor advisory.
  • Set final NiceOS status: affected, fixed, not_affected, false_positive, deferred, or not_in_cloud_image.
  • If affected, decide update/backport strategy according to package policy class.
  • Run package-class-specific build, upgrade and regression tests.
  • Add/update niceos_cve_triage entry.
  • Create NICE-SA advisory if a security update is shipped.

Machine metadata

{
  "cves": [
    "CVE-2023-51767",
    "CVE-2026-35385",
    "CVE-2026-35386",
    "CVE-2026-35414"
  ],
  "fingerprint": "4735b8855140ad0ca4bb",
  "generated_at": "2026-05-24T21:46:42Z",
  "package": "openssh",
  "prompt_version": "niceos_cve_issue_analysis_v1",
  "tool": "niceos_cve_create_issues.py",
  "tool_version": "1.0",
  "version": "9.9p2"
}
<!-- niceos-cve-fingerprint: 4735b8855140ad0ca4bb --> # CVE triage request / Запрос на разбор CVE ## Package / Пакет - Package: `openssh` - Version: `9.9p2` - EVR: `9.9p2-3` - Category: `-` - Policy class: `-` - NiceOS policy class: `-` - Owner: `-` - Severity: `HIGH` - Max CVSS: `8.1` - CVE count: `4` ## LLM recommendation / Рекомендация LLM ### RU Для пакета openssh 9.9p2 найдены CVE-кандидаты по данным NVD/CPE: CVE-2023-51767, CVE-2026-35385, CVE-2026-35386, CVE-2026-35414. Требуется triage security-team. Проверить применимость CVE к сборке НАЙС.ОС, сопоставить с upstream/vendor advisory, определить статус affected/fixed/not_affected и при необходимости подготовить обновление пакета. **Рекомендуемое действие:** `needs_triage` **Подсказка по целевой версии:** `-` **Проверки:** Проверить сборку RPM, обновление пакета, совместимость зависимостей, service/CLI smoke tests и регрессионные сценарии по классу пакета. **Риски:** Автоматическое совпадение NVD/CPE не является финальным вердиктом по НАЙС.ОС. ### EN NVD/CPE candidate CVEs were found for openssh 9.9p2: CVE-2023-51767, CVE-2026-35385, CVE-2026-35386, CVE-2026-35414. Security-team triage is required. Verify CVE applicability to the NiceOS build, compare with upstream/vendor advisories, set affected/fixed/not_affected status, and prepare a package update if required. **Recommended action:** `needs_triage` **Target version hint:** `-` **Tests:** Run RPM build, package upgrade, dependency compatibility, service/CLI smoke tests, and package-class-specific regression tests. **Risks:** An automatic NVD/CPE match is not the final NiceOS vulnerability verdict. ## CVE candidates from NVD/CPE | CVE | Severity | CVSS | Match | NiceOS status | Reason | |---|---|---:|---|---|---| | CVE-2026-35385 | HIGH | 8.1 | cpe-range | needs_triage | package version is inside version range | | CVE-2026-35386 | HIGH | 8.1 | cpe-range | needs_triage | package version is inside version range | | CVE-2026-35414 | HIGH | 8.1 | cpe-range | needs_triage | package version is inside version range | | CVE-2023-51767 | HIGH | 7.0 | cpe-generic | needs_triage | generic CPE product match without version range; needs triage | ## Descriptions ### CVE-2026-35385 In OpenSSH before 10.3, a file downloaded by scp may be installed setuid or setgid, an outcome contrary to some users' expectations, if the download is performed as root with -O (legacy scp protocol) and without -p (preserve mode). ### CVE-2026-35386 In OpenSSH before 10.3, command execution can occur via shell metacharacters in a username within a command line. This requires a scenario where the username on the command line is untrusted, and also requires a non-default configurations of % in ssh_config. ### CVE-2026-35414 OpenSSH before 10.3 mishandles the authorized_keys principals option in uncommon scenarios involving a principals list in conjunction with a Certificate Authority that makes certain use of comma characters. ### CVE-2023-51767 OpenSSH through 10.0, when common types of DRAM are used, might allow row hammer attacks (for authentication bypass) because the integer value of authenticated in mm_answer_authpassword does not resist flips of a single bit. NOTE: this is applicable to a certain threat model of attacker-victim co-location in which the attacker has user privileges. NOTE: this is disputed by the Supplier, who states "we do not consider it to be the application's responsibility to defend against platform architectural weaknesses." ## Maintainer checklist - [ ] Verify whether each CVE applies to the NiceOS build. - [ ] Compare NVD data with upstream/vendor advisory. - [ ] Set final NiceOS status: `affected`, `fixed`, `not_affected`, `false_positive`, `deferred`, or `not_in_cloud_image`. - [ ] If affected, decide update/backport strategy according to package policy class. - [ ] Run package-class-specific build, upgrade and regression tests. - [ ] Add/update `niceos_cve_triage` entry. - [ ] Create `NICE-SA` advisory if a security update is shipped. ## Machine metadata ```json { "cves": [ "CVE-2023-51767", "CVE-2026-35385", "CVE-2026-35386", "CVE-2026-35414" ], "fingerprint": "4735b8855140ad0ca4bb", "generated_at": "2026-05-24T21:46:42Z", "package": "openssh", "prompt_version": "niceos_cve_issue_analysis_v1", "tool": "niceos_cve_create_issues.py", "tool_version": "1.0", "version": "9.9p2" } ```
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
niceos-5.2
security/openssh-9.9p2-cve-backports
No results found.
Labels
Clear labels   
cve
Created by niceos_cve_create_issues.py

  
llm-analysis
Created by niceos_cve_create_issues.py

  
needs-triage
Created by niceos_cve_create_issues.py

  
security
Created by niceos_cve_create_issues.py

  
severity-high
Created by niceos_cve_create_issues.py

  
source-nvd
Created by niceos_cve_create_issues.py

No labels
cve
llm-analysis
needs-triage
security
severity-high
source-nvd
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
rpms/openssh#3
No description provided.