An update for openssh is now available for openEuler-24.03-LTS-SP1,openEuler-24.03-LTS-SP2,openEuler-24.03-LTS-SP3,openEuler-20.03-LTS-SP4,openEuler-22.03-LTS-SP4,openEuler-24.03-LTS Security Advisory openeuler-security@openeuler.org openEuler security committee openEuler-SA-2026-1963 Final 1.0 1.0 2026-04-17 Initial 2026-04-17 2026-04-17 openEuler SA Tool V1.0 2026-04-17 openssh security update An update for openssh is now available for openEuler-24.03-LTS-SP1,openEuler-24.03-LTS-SP2,openEuler-24.03-LTS-SP3,openEuler-20.03-LTS-SP4,openEuler-22.03-LTS-SP4,openEuler-24.03-LTS An open source implementation of SSH protocol version 2 Security Fix(es): Vulnerability in the OpenSSH GSSAPI delta included in various Linux distributions. This vulnerability affects the GSSAPI patches added by various Linux distributions and does not affect the OpenSSH upstream project itself. The usage of sshpkt_disconnect() on an error, which does not terminate the process, allows an attacker to send an unexpected GSSAPI message type during the GSSAPI key exchange to the server, which will call the underlying function and continue the execution of the program without setting the related connection variables. As the variables are not initialized to NULL the code later accesses those uninitialized variables, accessing random memory, which could lead to undefined behavior. The recommended workaround is to use ssh_packet_disconnect() instead, which does terminate the process. The impact of the vulnerability depends heavily on the compiler flag hardening configuration.(CVE-2026-3497) In OpenSSH before 10.3, a file downloaded by scp may be installed setuid or setgid, an outcome contrary to some users' expectations, if the download is performed as root with -O (legacy scp protocol) and without -p (preserve mode).(CVE-2026-35385) In OpenSSH before 10.3, command execution can occur via shell metacharacters in a username within a command line. This requires a scenario where the username on the command line is untrusted, and also requires a non-default configurations of % in ssh_config.(CVE-2026-35386) OpenSSH before 10.3 can use unintended ECDSA algorithms. Listing of any ECDSA algorithm in PubkeyAcceptedAlgorithms or HostbasedAcceptedAlgorithms is misinterpreted to mean all ECDSA algorithms.(CVE-2026-35387) OpenSSH before 10.3 omits connection multiplexing confirmation for proxy-mode multiplexing sessions.(CVE-2026-35388) OpenSSH before 10.3 mishandles the authorized_keys principals option in uncommon scenarios involving a principals list in conjunction with a Certificate Authority that makes certain use of comma characters.(CVE-2026-35414) An update for openssh is now available for openEuler-24.03-LTS-SP1,openEuler-24.03-LTS-SP2,openEuler-24.03-LTS-SP3,openEuler-20.03-LTS-SP4,openEuler-22.03-LTS-SP4,openEuler-24.03-LTS. openEuler Security has rated this update as having a security impact of high. A Common Vunlnerability Scoring System(CVSS)base score,which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section. High openssh https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2026-1963 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2026-3497 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2026-35385 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2026-35386 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2026-35387 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2026-35388 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2026-35414 https://nvd.nist.gov/vuln/detail/CVE-2026-3497 https://nvd.nist.gov/vuln/detail/CVE-2026-35385 https://nvd.nist.gov/vuln/detail/CVE-2026-35386 https://nvd.nist.gov/vuln/detail/CVE-2026-35387 https://nvd.nist.gov/vuln/detail/CVE-2026-35388 https://nvd.nist.gov/vuln/detail/CVE-2026-35414 openEuler-24.03-LTS-SP1 openEuler-24.03-LTS-SP2 openEuler-24.03-LTS-SP3 openEuler-20.03-LTS-SP4 openEuler-22.03-LTS-SP4 openEuler-24.03-LTS openssh-9.6p1-13.oe2403sp1.aarch64.rpm openssh-askpass-9.6p1-13.oe2403sp1.aarch64.rpm openssh-clients-9.6p1-13.oe2403sp1.aarch64.rpm openssh-debuginfo-9.6p1-13.oe2403sp1.aarch64.rpm openssh-debugsource-9.6p1-13.oe2403sp1.aarch64.rpm openssh-keycat-9.6p1-13.oe2403sp1.aarch64.rpm openssh-server-9.6p1-13.oe2403sp1.aarch64.rpm pam_ssh_agent_auth-0.10.4-5.13.oe2403sp1.aarch64.rpm openssh-9.6p1-13.oe2403sp2.aarch64.rpm openssh-askpass-9.6p1-13.oe2403sp2.aarch64.rpm openssh-clients-9.6p1-13.oe2403sp2.aarch64.rpm openssh-debuginfo-9.6p1-13.oe2403sp2.aarch64.rpm openssh-debugsource-9.6p1-13.oe2403sp2.aarch64.rpm openssh-keycat-9.6p1-13.oe2403sp2.aarch64.rpm openssh-server-9.6p1-13.oe2403sp2.aarch64.rpm pam_ssh_agent_auth-0.10.4-5.13.oe2403sp2.aarch64.rpm openssh-9.6p1-13.oe2403sp3.aarch64.rpm openssh-askpass-9.6p1-13.oe2403sp3.aarch64.rpm openssh-clients-9.6p1-13.oe2403sp3.aarch64.rpm openssh-debuginfo-9.6p1-13.oe2403sp3.aarch64.rpm openssh-debugsource-9.6p1-13.oe2403sp3.aarch64.rpm openssh-keycat-9.6p1-13.oe2403sp3.aarch64.rpm openssh-server-9.6p1-13.oe2403sp3.aarch64.rpm pam_ssh_agent_auth-0.10.4-5.13.oe2403sp3.aarch64.rpm openssh-8.2p1-35.oe2003sp4.aarch64.rpm openssh-askpass-8.2p1-35.oe2003sp4.aarch64.rpm openssh-cavs-8.2p1-35.oe2003sp4.aarch64.rpm openssh-clients-8.2p1-35.oe2003sp4.aarch64.rpm openssh-debuginfo-8.2p1-35.oe2003sp4.aarch64.rpm openssh-debugsource-8.2p1-35.oe2003sp4.aarch64.rpm openssh-keycat-8.2p1-35.oe2003sp4.aarch64.rpm openssh-ldap-8.2p1-35.oe2003sp4.aarch64.rpm openssh-server-8.2p1-35.oe2003sp4.aarch64.rpm pam_ssh_agent_auth-0.10.3-9.35.oe2003sp4.aarch64.rpm openssh-8.8p1-41.oe2203sp4.aarch64.rpm openssh-askpass-8.8p1-41.oe2203sp4.aarch64.rpm openssh-clients-8.8p1-41.oe2203sp4.aarch64.rpm openssh-debuginfo-8.8p1-41.oe2203sp4.aarch64.rpm openssh-debugsource-8.8p1-41.oe2203sp4.aarch64.rpm openssh-keycat-8.8p1-41.oe2203sp4.aarch64.rpm openssh-server-8.8p1-41.oe2203sp4.aarch64.rpm pam_ssh_agent_auth-0.10.4-4.41.oe2203sp4.aarch64.rpm openssh-9.3p2-11.oe2403.aarch64.rpm openssh-askpass-9.3p2-11.oe2403.aarch64.rpm openssh-clients-9.3p2-11.oe2403.aarch64.rpm openssh-debuginfo-9.3p2-11.oe2403.aarch64.rpm openssh-debugsource-9.3p2-11.oe2403.aarch64.rpm openssh-keycat-9.3p2-11.oe2403.aarch64.rpm openssh-server-9.3p2-11.oe2403.aarch64.rpm pam_ssh_agent_auth-0.10.4-4.11.oe2403.aarch64.rpm openssh-9.6p1-13.oe2403sp1.src.rpm openssh-9.6p1-13.oe2403sp2.src.rpm openssh-9.6p1-13.oe2403sp3.src.rpm openssh-8.2p1-35.oe2003sp4.src.rpm openssh-8.8p1-41.oe2203sp4.src.rpm openssh-9.3p2-11.oe2403.src.rpm openssh-9.6p1-13.oe2403sp1.x86_64.rpm openssh-askpass-9.6p1-13.oe2403sp1.x86_64.rpm openssh-clients-9.6p1-13.oe2403sp1.x86_64.rpm openssh-debuginfo-9.6p1-13.oe2403sp1.x86_64.rpm openssh-debugsource-9.6p1-13.oe2403sp1.x86_64.rpm openssh-keycat-9.6p1-13.oe2403sp1.x86_64.rpm openssh-server-9.6p1-13.oe2403sp1.x86_64.rpm pam_ssh_agent_auth-0.10.4-5.13.oe2403sp1.x86_64.rpm openssh-9.6p1-13.oe2403sp2.x86_64.rpm openssh-askpass-9.6p1-13.oe2403sp2.x86_64.rpm openssh-clients-9.6p1-13.oe2403sp2.x86_64.rpm openssh-debuginfo-9.6p1-13.oe2403sp2.x86_64.rpm openssh-debugsource-9.6p1-13.oe2403sp2.x86_64.rpm openssh-keycat-9.6p1-13.oe2403sp2.x86_64.rpm openssh-server-9.6p1-13.oe2403sp2.x86_64.rpm pam_ssh_agent_auth-0.10.4-5.13.oe2403sp2.x86_64.rpm openssh-9.6p1-13.oe2403sp3.x86_64.rpm openssh-askpass-9.6p1-13.oe2403sp3.x86_64.rpm openssh-clients-9.6p1-13.oe2403sp3.x86_64.rpm openssh-debuginfo-9.6p1-13.oe2403sp3.x86_64.rpm openssh-debugsource-9.6p1-13.oe2403sp3.x86_64.rpm openssh-keycat-9.6p1-13.oe2403sp3.x86_64.rpm openssh-server-9.6p1-13.oe2403sp3.x86_64.rpm pam_ssh_agent_auth-0.10.4-5.13.oe2403sp3.x86_64.rpm openssh-8.2p1-35.oe2003sp4.x86_64.rpm openssh-askpass-8.2p1-35.oe2003sp4.x86_64.rpm openssh-cavs-8.2p1-35.oe2003sp4.x86_64.rpm openssh-clients-8.2p1-35.oe2003sp4.x86_64.rpm openssh-debuginfo-8.2p1-35.oe2003sp4.x86_64.rpm openssh-debugsource-8.2p1-35.oe2003sp4.x86_64.rpm openssh-keycat-8.2p1-35.oe2003sp4.x86_64.rpm openssh-ldap-8.2p1-35.oe2003sp4.x86_64.rpm openssh-server-8.2p1-35.oe2003sp4.x86_64.rpm pam_ssh_agent_auth-0.10.3-9.35.oe2003sp4.x86_64.rpm openssh-8.8p1-41.oe2203sp4.x86_64.rpm openssh-askpass-8.8p1-41.oe2203sp4.x86_64.rpm openssh-clients-8.8p1-41.oe2203sp4.x86_64.rpm openssh-debuginfo-8.8p1-41.oe2203sp4.x86_64.rpm openssh-debugsource-8.8p1-41.oe2203sp4.x86_64.rpm openssh-keycat-8.8p1-41.oe2203sp4.x86_64.rpm openssh-server-8.8p1-41.oe2203sp4.x86_64.rpm pam_ssh_agent_auth-0.10.4-4.41.oe2203sp4.x86_64.rpm openssh-9.3p2-11.oe2403.x86_64.rpm openssh-askpass-9.3p2-11.oe2403.x86_64.rpm openssh-clients-9.3p2-11.oe2403.x86_64.rpm openssh-debuginfo-9.3p2-11.oe2403.x86_64.rpm openssh-debugsource-9.3p2-11.oe2403.x86_64.rpm openssh-keycat-9.3p2-11.oe2403.x86_64.rpm openssh-server-9.3p2-11.oe2403.x86_64.rpm pam_ssh_agent_auth-0.10.4-4.11.oe2403.x86_64.rpm openssh-help-9.6p1-13.oe2403sp1.noarch.rpm openssh-help-9.6p1-13.oe2403sp2.noarch.rpm openssh-help-9.6p1-13.oe2403sp3.noarch.rpm openssh-help-8.2p1-35.oe2003sp4.noarch.rpm openssh-help-8.8p1-41.oe2203sp4.noarch.rpm openssh-help-9.3p2-11.oe2403.noarch.rpm Vulnerability in the OpenSSH GSSAPI delta included in various Linux distributions. This vulnerability affects the GSSAPI patches added by various Linux distributions and does not affect the OpenSSH upstream project itself. The usage of sshpkt_disconnect() on an error, which does not terminate the process, allows an attacker to send an unexpected GSSAPI message type during the GSSAPI key exchange to the server, which will call the underlying function and continue the execution of the program without setting the related connection variables. As the variables are not initialized to NULL the code later accesses those uninitialized variables, accessing random memory, which could lead to undefined behavior. The recommended workaround is to use ssh_packet_disconnect() instead, which does terminate the process. The impact of the vulnerability depends heavily on the compiler flag hardening configuration. 2026-04-17 CVE-2026-3497 openEuler-24.03-LTS-SP1 openEuler-24.03-LTS-SP2 openEuler-24.03-LTS-SP3 openEuler-20.03-LTS-SP4 openEuler-22.03-LTS-SP4 openEuler-24.03-LTS Medium 6.9 AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N openssh security update 2026-04-17 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2026-1963 In OpenSSH before 10.3, a file downloaded by scp may be installed setuid or setgid, an outcome contrary to some users' expectations, if the download is performed as root with -O (legacy scp protocol) and without -p (preserve mode). 2026-04-17 CVE-2026-35385 openEuler-24.03-LTS-SP1 openEuler-24.03-LTS-SP2 openEuler-24.03-LTS-SP3 openEuler-20.03-LTS-SP4 openEuler-22.03-LTS-SP4 openEuler-24.03-LTS High 7.5 AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H openssh security update 2026-04-17 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2026-1963 In OpenSSH before 10.3, command execution can occur via shell metacharacters in a username within a command line. This requires a scenario where the username on the command line is untrusted, and also requires a non-default configurations of % in ssh_config. 2026-04-17 CVE-2026-35386 openEuler-24.03-LTS-SP1 openEuler-24.03-LTS-SP2 openEuler-24.03-LTS-SP3 openEuler-20.03-LTS-SP4 openEuler-22.03-LTS-SP4 openEuler-24.03-LTS Low 3.6 AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N openssh security update 2026-04-17 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2026-1963 OpenSSH before 10.3 can use unintended ECDSA algorithms. Listing of any ECDSA algorithm in PubkeyAcceptedAlgorithms or HostbasedAcceptedAlgorithms is misinterpreted to mean all ECDSA algorithms. 2026-04-17 CVE-2026-35387 openEuler-24.03-LTS-SP1 openEuler-24.03-LTS-SP2 openEuler-24.03-LTS-SP3 openEuler-20.03-LTS-SP4 openEuler-22.03-LTS-SP4 openEuler-24.03-LTS Low 3.1 AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N openssh security update 2026-04-17 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2026-1963 OpenSSH before 10.3 omits connection multiplexing confirmation for proxy-mode multiplexing sessions. 2026-04-17 CVE-2026-35388 openEuler-24.03-LTS-SP1 openEuler-24.03-LTS-SP2 openEuler-24.03-LTS-SP3 openEuler-20.03-LTS-SP4 openEuler-22.03-LTS-SP4 openEuler-24.03-LTS Low 2.5 AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N openssh security update 2026-04-17 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2026-1963 OpenSSH before 10.3 mishandles the authorized_keys principals option in uncommon scenarios involving a principals list in conjunction with a Certificate Authority that makes certain use of comma characters. 2026-04-17 CVE-2026-35414 openEuler-24.03-LTS-SP1 openEuler-24.03-LTS-SP2 openEuler-24.03-LTS-SP3 openEuler-20.03-LTS-SP4 openEuler-22.03-LTS-SP4 openEuler-24.03-LTS High 8.1 AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H openssh security update 2026-04-17 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2026-1963