[CLSA-2026:1777556512] Fix CVE(s): CVE-2026-35385

Type:

security

Severity:

Important

Release date:

2026-04-30 13:41:59 UTC

Description:

   * SECURITY UPDATE: setuid/setgid bits preserved on scp downloads without -p
     - debian/patches/CVE-2026-35385.patch: in legacy (-O) mode, OR 07000 into
       the saved umask in sink() in scp.c so that setuid/setgid/sticky bits
       are stripped from received files when -p is not specified.
     - CVE-2026-35385

Updated packages:

openssh-client_8.2p1-4ubuntu0.13+tuxcare.els3_amd64.deb
sha:801b7ec0a476f9ca16e3bfca2b3890a5c05884f9
openssh-server_8.2p1-4ubuntu0.13+tuxcare.els3_amd64.deb
sha:e599cd25dcfdc44533edd7f3c21d50f3091692db
openssh-sftp-server_8.2p1-4ubuntu0.13+tuxcare.els3_amd64.deb
sha:a950420dedec2c831144e463f7524a819b03a256
openssh-tests_8.2p1-4ubuntu0.13+tuxcare.els3_amd64.deb
sha:2f73bda5667795a58fc20cbcc9ac96c9060185da
ssh_8.2p1-4ubuntu0.13+tuxcare.els3_all.deb
sha:a12bef9772ba461c1c15f8af65d6b2d1d6b20115
ssh-askpass-gnome_8.2p1-4ubuntu0.13+tuxcare.els3_amd64.deb
sha:92e41bfaeb335f4b918b4f6bf8510b2cf27f8f88

Notes:

This page is generated automatically and has not been checked for errors. For clarification or corrections please contact the CloudLinux Packaging Team.