ELSA-2026-19069

ELSA-2026-19069 - openssh security update

Type:SECURITY
Impact:IMPORTANT
Release Date:2026-07-08

Description


[9.9p1-23.0.1]
- Upstream references found with /usr/bin/ssh [Orabug: 37824421]

[9.9p1-23]
- CVE-2026-35385: Fix privilege escalation via scp legacy protocol
when not in preserving file mode
Resolves: RHEL-164739
- CVE-2026-35388: Add connection multiplexing confirmation for proxy-mode
multiplexing sessions
Resolves: RHEL-166238
- CVE-2026-35387: Fix incomplete application of PubkeyAcceptedAlgorithms
and HostbasedAcceptedAlgorithms with regard to ECDSA keys
Resolves: RHEL-166222
- CVE-2026-35414: Fix mishandling of authorized_keys principals option
Resolves: RHEL-166190
- CVE-2026-35386: Add validation rules to usernames and hostnames
set for ProxyJump/-J on the commandline
Resolves: RHEL-166206

[9.9p1-22]
- Version bump

[9.9p1-21]
- CVE-2026-3497: Fix information disclosure or denial of service due
to uninitialized variables in gssapi-keyex
Resolves: RHEL-155812

[9.9p1-20]
- Provide a way to skip unsupported ML-KEM hybrid algorithms in FIPS mode
Resolves: RHEL-151579

[9.9p1-19]
- Support of hybrid MLKEM key exchange methods in FIPS mode
Resolves: RHEL-125929

[9.9p1-18]
- Adding a mechanism to disable GSSAPIDelegateCredentials in sshd_config
Resolves: RHEL-5281

[9.9p1-17]
- CVE-2025-61984: Reject usernames with control characters
Resolves: RHEL-128399
- CVE-2025-61985: Reject URL-strings with NULL characters
Resolves: RHEL-128388

[9.9p1-16]
- Implement mlkem768nistp256-sha256 and mlkem1024nistp384-sha384 KEX methods
Resolves: RHEL-70824

[9.9p1-15]
- Fix implicit destination path selection when source path ends with '..'
Resolves: RHEL-118406
- Canonicalize username when matching a user
Resolves: RHEL-101440


Related CVEs


CVE-2026-35385
CVE-2026-35386
CVE-2026-35387
CVE-2026-35388
CVE-2026-35414

Updated Packages


Release/ArchitectureFilenamesha256Superseded By AdvisoryChannel Label
Oracle Linux 10 (aarch64) openssh-9.9p1-23.0.1.el10_2.src.rpm0f0b1815009f15745e14a2803efd5b630df460e5bd20c96c25c7c713bb640580-ol10_aarch64_appstream
openssh-9.9p1-23.0.1.el10_2.src.rpm0f0b1815009f15745e14a2803efd5b630df460e5bd20c96c25c7c713bb640580-ol10_aarch64_baseos_latest
openssh-9.9p1-23.0.1.el10_2.src.rpm0f0b1815009f15745e14a2803efd5b630df460e5bd20c96c25c7c713bb640580-ol10_aarch64_u2_baseos_base
openssh-9.9p1-23.0.1.el10_2.aarch64.rpmb17b82d5d35956840d9bcdb9a5dac2f22561573c949e757074e89d4313055386-ol10_aarch64_baseos_latest
openssh-9.9p1-23.0.1.el10_2.aarch64.rpmb17b82d5d35956840d9bcdb9a5dac2f22561573c949e757074e89d4313055386-ol10_aarch64_u2_baseos_base
openssh-askpass-9.9p1-23.0.1.el10_2.aarch64.rpm64f8f197ec8450ebd0736ae8f3d381788fd157469b536d1cbc6d2c9093d6b905-ol10_aarch64_appstream
openssh-clients-9.9p1-23.0.1.el10_2.aarch64.rpmaba0476a76a080a0ada5b5c2c26e012b75e3b184101f4645c416acc8a2d9b0f8-ol10_aarch64_baseos_latest
openssh-clients-9.9p1-23.0.1.el10_2.aarch64.rpmaba0476a76a080a0ada5b5c2c26e012b75e3b184101f4645c416acc8a2d9b0f8-ol10_aarch64_u2_baseos_base
openssh-keycat-9.9p1-23.0.1.el10_2.aarch64.rpm94f7706ac611ce8ecae6d7e90215a16f4be3f58bddb7e39fb7f09e62c0591b70-ol10_aarch64_baseos_latest
openssh-keycat-9.9p1-23.0.1.el10_2.aarch64.rpm94f7706ac611ce8ecae6d7e90215a16f4be3f58bddb7e39fb7f09e62c0591b70-ol10_aarch64_u2_baseos_base
openssh-keysign-9.9p1-23.0.1.el10_2.aarch64.rpm7c6c6eeea06ea5ede00f9d5ce3a6570e8ea1a48bb1818ef2356fb85cdb2ff5a0-ol10_aarch64_appstream
openssh-server-9.9p1-23.0.1.el10_2.aarch64.rpm857202a87dd2a0a0c289c72bb4232aa75821504df6da06b6ad743bad068e0442-ol10_aarch64_baseos_latest
openssh-server-9.9p1-23.0.1.el10_2.aarch64.rpm857202a87dd2a0a0c289c72bb4232aa75821504df6da06b6ad743bad068e0442-ol10_aarch64_u2_baseos_base
Oracle Linux 10 (x86_64) openssh-9.9p1-23.0.1.el10_2.src.rpm0f0b1815009f15745e14a2803efd5b630df460e5bd20c96c25c7c713bb640580-ol10_x86_64_appstream
openssh-9.9p1-23.0.1.el10_2.src.rpm0f0b1815009f15745e14a2803efd5b630df460e5bd20c96c25c7c713bb640580-ol10_x86_64_baseos_latest
openssh-9.9p1-23.0.1.el10_2.src.rpm0f0b1815009f15745e14a2803efd5b630df460e5bd20c96c25c7c713bb640580-ol10_x86_64_u2_baseos_base
openssh-9.9p1-23.0.1.el10_2.x86_64.rpm0be6becec99e6661cde681beaa4fec09177d254e179589c7c76852cfa02c5371-ol10_x86_64_baseos_latest
openssh-9.9p1-23.0.1.el10_2.x86_64.rpm0be6becec99e6661cde681beaa4fec09177d254e179589c7c76852cfa02c5371-ol10_x86_64_u2_baseos_base
openssh-askpass-9.9p1-23.0.1.el10_2.x86_64.rpmf4601346d2b4e93178bc960cb105d693686fe9e907798841e3dd9a994949017d-ol10_x86_64_appstream
openssh-clients-9.9p1-23.0.1.el10_2.x86_64.rpm5a3e80ea686b7a43190f30f2b7ece47b78fad73201f32e28bd9fb7cad82aca14-ol10_x86_64_baseos_latest
openssh-clients-9.9p1-23.0.1.el10_2.x86_64.rpm5a3e80ea686b7a43190f30f2b7ece47b78fad73201f32e28bd9fb7cad82aca14-ol10_x86_64_u2_baseos_base
openssh-keycat-9.9p1-23.0.1.el10_2.x86_64.rpmf76655218cc66eeb66180e9fdeea706e08f4e5401bd0d5be5b555146bfd7e18c-ol10_x86_64_baseos_latest
openssh-keycat-9.9p1-23.0.1.el10_2.x86_64.rpmf76655218cc66eeb66180e9fdeea706e08f4e5401bd0d5be5b555146bfd7e18c-ol10_x86_64_u2_baseos_base
openssh-keysign-9.9p1-23.0.1.el10_2.x86_64.rpm90710b7a7b201d8f42a9dda3bd766bf71b38acc8c007ebb826a24e23c30e5a44-ol10_x86_64_appstream
openssh-server-9.9p1-23.0.1.el10_2.x86_64.rpm9d4661803f60ce9c6d4de6636e4c62e8a63b51cf12407da190c3beeb72b9a63b-ol10_x86_64_baseos_latest
openssh-server-9.9p1-23.0.1.el10_2.x86_64.rpm9d4661803f60ce9c6d4de6636e4c62e8a63b51cf12407da190c3beeb72b9a63b-ol10_x86_64_u2_baseos_base



This page is generated automatically and has not been checked for errors or omissions. For clarification or corrections please contact the Oracle Linux ULN team

software.hardware.complete