Oracle Errata System
Oracle Linux
5.11
2026-05-06T03:22:52
ELSA-2026-13381: openssh security update (IMPORTANT)
Oracle Linux 9
[8.7p1-49.0.1]
- Upstream references found with /usr/bin/ssh [Orabug: 37814929]
- upstream: fix AuthorizedPrincipalsCommand when AuthorizedKeysCommand [Orabug: 37647064]
- Update upstream references [Orabug: 36564626]
[8.7p1-49]
- CVE-2026-35385: Fix privilege escalation via scp legacy protocol
when not in preserving file mode
Resolves: RHEL-164752
- CVE-2026-35388: Add connection multiplexing confirmation for proxy-mode
multiplexing sessions
Resolves: RHEL-166249
- CVE-2026-35387: Fix incomplete application of PubkeyAcceptedAlgorithms
and HostbasedAcceptedAlgorithms with regard to ECDSA keys
Resolves: RHEL-166233
- CVE-2026-35414: Fix mishandling of authorized_keys principals option
Resolves: RHEL-166201
- CVE-2026-35386: Add validation rules to usernames and hostnames
set for ProxyJump/-J on the commandline
Resolves: RHEL-166217
IMPORTANT
Copyright 2026 Oracle, Inc.
CVE-2026-35385
CVE-2026-35386
CVE-2026-35387
CVE-2026-35388
CVE-2026-35414
cpe:/a:oracle:linux:9::appstream
cpe:/o:oracle:linux:9:7:baseos_patch
cpe:/o:oracle:linux:9::baseos_latest
openssh-clients
oraclelinux-release
openssh-server
openssh
pam_ssh_agent_auth
openssh-askpass
openssh-keycat
bc4d06a08d8b756f
^9
aarch64
0:8.7p1-49.0.1.el9_7
0:0.10.4-5.49.0.1.el9_7
x86_64