Amazon Linux 2023 Security Advisory: ALAS2023-2026-1745
Advisory Released Date: 2026-05-26
Advisory Updated Date: 2026-05-26
FAQs regarding Amazon Linux ALAS/CVE Severity
Vulnerability in the OpenSSH GSSAPI delta included in various Linux distributions. This vulnerability affects the GSSAPI patches added by various Linux distributions and does not affect the OpenSSH upstream project itself. The usage of sshpkt_disconnect() on an error, which does not terminate the process, allows an attacker to send an unexpected GSSAPI message type during the GSSAPI key exchange to the server, which will call the underlying function and continue the execution of the program without setting the related connection variables. As the variables are not initialized to NULL the code later accesses those uninitialized variables, accessing random memory, which could lead to undefined behavior. The recommended workaround is to use ssh_packet_disconnect() instead, which does terminate the process. The impact of the vulnerability depends heavily on the compiler flag hardening configuration. (CVE-2026-3497)
In OpenSSH before 10.3, command execution can occur via shell metacharacters in a username within a command line. This requires a scenario where the username on the command line is untrusted, and also requires a non-default configurations of % in ssh_config. (CVE-2026-35386)
OpenSSH before 10.3 can use unintended ECDSA algorithms. Listing of any ECDSA algorithm in PubkeyAcceptedAlgorithms or HostbasedAcceptedAlgorithms is misinterpreted to mean all ECDSA algorithms. (CVE-2026-35387)
OpenSSH before 10.3 omits connection multiplexing confirmation for proxy-mode multiplexing sessions. (CVE-2026-35388)
OpenSSH before 10.3 mishandles the authorized_keys principals option in uncommon scenarios involving a principals list in conjunction with a Certificate Authority that makes certain use of comma characters. (CVE-2026-35414)
Affected Packages:
openssh
Issue Correction:
Run dnf update openssh --releasever 2023.11.20260526 or dnf update --advisory ALAS2023-2026-1745 --releasever 2023.11.20260526 to update your system.
More information on how to update your system can be found on this page: Amazon Linux 2023 documentation
aarch64:
openssh-clients-debuginfo-8.7p1-8.amzn2023.0.18.aarch64
openssh-keycat-8.7p1-8.amzn2023.0.18.aarch64
openssh-debugsource-8.7p1-8.amzn2023.0.18.aarch64
openssh-server-debuginfo-8.7p1-8.amzn2023.0.18.aarch64
pam_ssh_agent_auth-0.10.4-4.8.amzn2023.0.18.aarch64
openssh-debuginfo-8.7p1-8.amzn2023.0.18.aarch64
openssh-8.7p1-8.amzn2023.0.18.aarch64
openssh-keycat-debuginfo-8.7p1-8.amzn2023.0.18.aarch64
pam_ssh_agent_auth-debuginfo-0.10.4-4.8.amzn2023.0.18.aarch64
openssh-clients-8.7p1-8.amzn2023.0.18.aarch64
openssh-server-8.7p1-8.amzn2023.0.18.aarch64
src:
openssh-8.7p1-8.amzn2023.0.18.src
x86_64:
openssh-clients-debuginfo-8.7p1-8.amzn2023.0.18.x86_64
openssh-server-8.7p1-8.amzn2023.0.18.x86_64
openssh-8.7p1-8.amzn2023.0.18.x86_64
openssh-keycat-debuginfo-8.7p1-8.amzn2023.0.18.x86_64
pam_ssh_agent_auth-debuginfo-0.10.4-4.8.amzn2023.0.18.x86_64
pam_ssh_agent_auth-0.10.4-4.8.amzn2023.0.18.x86_64
openssh-server-debuginfo-8.7p1-8.amzn2023.0.18.x86_64
openssh-keycat-8.7p1-8.amzn2023.0.18.x86_64
openssh-debugsource-8.7p1-8.amzn2023.0.18.x86_64
openssh-clients-8.7p1-8.amzn2023.0.18.x86_64
openssh-debuginfo-8.7p1-8.amzn2023.0.18.x86_64