This update for openssh fixes the following issues
Security issues fixed:
- CVE-2026-35385: a file downloaded by scp may be installed setuid or setgid (bsc#1261427).
- CVE-2026-35414: mishandling of authorized_keys principals option (bsc#1261430).
Other issues fixed:
- SSH port not reachable on SLES-16.0-CHOST-BYOS since build 1.32 for both x86_64 and aarch64 (bsc#1262555).
- OpenSSH audit support causes connection lost with parallel sessions (bsc#1252890).
Patch instructions:
To install this openSUSE security update use the suse recommended installation methods
like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
- openSUSE Leap 16.0
zypper in -t patch openSUSE-Leap-16.0-752=1
- openSUSE Leap 16.0:
openssh-10.0p2-160000.5.1
openssh-askpass-gnome-10.0p2-160000.5.1
openssh-cavs-10.0p2-160000.5.1
openssh-clients-10.0p2-160000.5.1
openssh-common-10.0p2-160000.5.1
openssh-helpers-10.0p2-160000.5.1
openssh-server-10.0p2-160000.5.1
openssh-server-config-rootlogin-10.0p2-160000.5.1
* bsc#1252890
* bsc#1261427
* bsc#1261430
* bsc#1262555
References:
* https://www.suse.com/security/cve/CVE-2026-35385.html
* https://www.suse.com/security/cve/CVE-2026-35414.html
Get the latest Linux and open source security news straight to your inbox.