DLPX-97141 Ubuntu Security Notification for OpenSSH Vulnerabilities (USN-8222-1)#391
Merged
Conversation
Bumps openssh-{client,server,sftp-server} on the release-track
appliance from Ubuntu's stock 1:9.6p1-3ubuntu13.15 to 1:9.6p1-3ubuntu13.16,
remediating USN-8222-1 (CVE-2026-35414, -35387, -35386, -35388, -35385).
Three sha256-pinned .deb entries added to misc-debs's debs[] array;
the .debs are already in artifactory at linux-pkg/misc-debs/.
Coordination: openspec change `openssh-usn-8222-1` in the cd-aidlc
repo. verification.md there captures the sha256s and the artifactory
PUT evidence.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
lyriclake
approved these changes
May 11, 2026
david-mendez1
approved these changes
May 11, 2026
sebroy
approved these changes
May 11, 2026
3 tasks
prakashsurya
added a commit
that referenced
this pull request
May 12, 2026
… (USN-8226-1) Backports kmod + libkmod2 at 31+20240202-2ubuntu7.2 to the release-track appliance via packages/misc-debs/config.sh's debs=() — mirroring the openssh USN-8222-1 backport pattern (PR #391). Pairs with delphix/delphix-platform#561 (drops disable-algif_aead.conf from delphix-platform-aws so kmod can own the conffile) — landing simultaneously to avoid the dpkg file-overwrite conflict that DLPX-97204 was catching in test_upgrade_linux_system. Sources: http://security.ubuntu.com/ubuntu/pool/main/k/kmod/ Maintainer verified (Ubuntu Developers); sha256s pinned per file. libkmod-dev not added (not installed on the appliance). dpkg-level necessity + sufficiency validated on fresh dlpx-release VMs; see PR comment and delphix/cd-aidlc#47 verification.md for evidence.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Backports the Ubuntu USN-8222-1 openssh patch (
1:9.6p1-3ubuntu13.16) to the release-track appliance via themisc-debsextension point. Fixes DLPX-97141 — Qualys QID 6032777 (CVE-2026-35414, -35387, -35386, -35388, -35385).packages/misc-debs/config.sh: three sha256-pinneddebs=()entries (one per.deb) under an inline comment block naming the USN, Jira, CVEs, and the Ubuntu archive source..debs already live athttps://artifactory.delphix.com/artifactory/linux-pkg/misc-debs/(openssh-{client,server,sftp-server}_9.6p1-3ubuntu13.16_amd64.deb).Coordination
This change is the Phase 2 implementation of OpenSpec change
openssh-usn-8222-1indelphix/cd-aidlc. Spec PR: delphix/cd-aidlc#41 (merged). Impl branch in cd-aidlc:projects/openspec/openssh-usn-8222-1-rollup.Capture of sha256s, artifactory PUT evidence, and Phase 2 build/test results lives at
openspec/changes/openssh-usn-8222-1/verification.md#phase-2--linux-pkg.Test plan
make shellcheck+make shfmtcheck— both clean locally on this branch).fetch()step resolves all three artifactory URLs with matching sha256s.git-ab-pre-pushfrom this worktree builds an appliance image with the three.16.debs replacing Ubuntu's.15, andpre-checkinregression suite passes (sshd is the transport for the entire suite, so any regression surfaces).dpkg-query -W openssh-{client,server,sftp-server}reports1:9.6p1-3ubuntu13.16for all three;whoamiover ssh exits 0; sftp round-trip preserves sha256.🤖 Generated with Claude Code