Skip to content

stable-4459: cherry-pick OpenSSH security fixes #3706

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
tormath1 wants to merge 8 commits into
base: flatcar-4459
Choose a base branch
from
Open

stable-4459: cherry-pick OpenSSH security fixes #3706

tormath1 wants to merge 8 commits into from
+2,656 −718

Conversation

@tormath1
Copy link
Contributor

@tormath1 tormath1 commented Feb 12, 2026
edited
Loading

In this PR, we upgrade OpenSSH to openssh-10.2_p1 to ship two security fixes on Stable:

Testing done

Locally emerged in the SDK:

$ sudo emerge -v openssh
...
[ebuild  N     ] virtual/zlib-1.3.1-r1:0/1::portage-stable  USE="-static-libs" 0 KiB
[ebuild     U ~] net-misc/openssh-10.2_p1::portage-stable [10.0_p1::portage-stable] USE="kerberos ssl -audit (-debug) -ldns -libedit -livecd -pam -security-key -selinux -static -test -verify-sig (-pie%*) (-xmss%)" 1929 KiB
...
$ ssh -V
OpenSSH_10.2p1, OpenSSL 3.4.2 1 Jul 2025

Notes for reviewers:

 index 4c92262118..81e6dec563 100644
 --- a/tmp/4459.2.3+nightly-20260210-2100-PKjZgh
 +++ b/tmp/4459.2.101+tormath1-openssh-EM1Lhr
 @@ -1,5 +1,5 @@
  File    Size  Used Avail Use% Type
 -/boot   127M   66M   61M  52% vfat
 +/boot   127M   64M   63M  51% vfat
  /usr   1016M  463M  443M  52% btrfs
  /       2.0G  576K  1.8G   1% ext4
 -SUM     3.1G  529M  2.3G  19% -
 +SUM     3.1G  527M  2.3G  19% -

danzatt and others added 7 commits February 12, 2026 09:50
@danzatt @tormath1
virtual/zlib: Add from Gentoo
21fe1fe 
Gentoo is moving the zlib dependency from sys-libs/zlib to virtual/zlib
to allow different zlib implementation (like zlib-ng). We need to pull
this virtual dependency because erofs-utils depends on it.

Signed-off-by: Daniel Zatovic <[email protected]>
Signed-off-by: Mathieu Tortuyaux <[email protected]>
@tormath1
net-misc/openssh: Sync with Gentoo
88fb932 
It's from Gentoo commit fff6fa33d9c2e7a3c136031b5e24ee069f784b1a.

Signed-off-by: Flatcar Buildbot <[email protected]>
Signed-off-by: Mathieu Tortuyaux <[email protected]>
@tormath1
net-misc/openssh: Sync with Gentoo
d777708 
It's from Gentoo commit 88156328d40f0af955afe2adbb3b4aa367ff64f6.

Signed-off-by: Flatcar Buildbot <[email protected]>
Signed-off-by: Mathieu Tortuyaux <[email protected]>
@tormath1
net-misc/openssh: Sync with Gentoo
5b820fd 
It's from Gentoo commit 9e2a2f1a08f1368e1842b3b8f2d4e190bddee73c.

Signed-off-by: Flatcar Buildbot <[email protected]>
Signed-off-by: Mathieu Tortuyaux <[email protected]>
@tormath1
virtual/openssh: Sync with Gentoo
c4f0531 
It's from Gentoo commit bb03600b8ee5393c8df8e625a873ec4426db6882.

Signed-off-by: Flatcar Buildbot <[email protected]>
Signed-off-by: Mathieu Tortuyaux <[email protected]>
@krnowak @tormath1
overlay profiles: Add accept keywords for net-misc/openssh
f60a6e6 
Signed-off-by: Krzesimir Nowak <[email protected]>
@krnowak @tormath1
changelog: Add entries
69a3609 
Signed-off-by: Krzesimir Nowak <[email protected]>
Signed-off-by: Mathieu Tortuyaux <[email protected]>
@tormath1 tormath1 self-assigned this Feb 12, 2026
@tormath1 tormath1 moved this to ✅ Testing / in Review in Flatcar tactical, release planning, and roadmap Feb 12, 2026
@tormath1 tormath1 moved this to ✅ Testing / in Review in Flatcar tactical, release planning, and roadmap Feb 12, 2026
@tormath1
Revert "sys-kernel/coreos-modules: arm64: Enable CONFIG_FUNCTION_TRAC…
83ce077 
…ER & CONFIG_DYNAMIC_FTRACE"

This reverts commit 363f281.

This unfortunately breaks the /boot size limit.

Signed-off-by: Mathieu Tortuyaux <[email protected]>
@tormath1 tormath1 force-pushed the tormath1/4459/openssh branch from 5942f84 to 83ce077 Compare February 12, 2026 13:58
@tormath1 tormath1 marked this pull request as ready for review February 12, 2026 17:17
@tormath1 tormath1 requested a review from a team as a code owner February 12, 2026 17:17
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@sayanchowdhury sayanchowdhury sayanchowdhury approved these changes

Assignees

@tormath1 tormath1

Labels

stable

Projects

Flatcar tactical, release planning, and roadmap
Status: Testing / in Review

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@tormath1 @sayanchowdhury @danzatt @krnowak