Security update for openssh SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2025:20160-1 Final 1 1 2025-03-25T09:02:20Z current 2025-03-25T09:02:20Z 2025-03-25T09:02:20Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for openssh This update for openssh fixes the following issues: - CVE-2025-26465: Fixed MitM attack against OpenSSH's VerifyHostKeyDNS-enabled client (bsc#1237040). - CVE-2025-26466: Fixed DoS attack against OpenSSH's client and server (bsc#1237041). Other bugfixes: - Fix ssh client segfault with GSSAPIKeyExchange=yes in ssh_kex2 due to gssapi proposal not being correctly initialized (bsc#1236826). - Add #include <stdlib.h> in some files added by the ldap patch to fix build with gcc14 (bsc#1225904). - Added missing struct initializer, added missing parameter (bsc#1222840). - Remove OPENSSL_HAVE_EVPGCM-ifdef, which is no longer supported by upstream (bsc#1221928). - Use %config(noreplace) for sshd_config. In any case, it's recommended to drop a file in sshd_config.d instead of editing sshd_config (bsc#1221063). - Add a patch to fix a regression introduced in 9.6 that makes X11 forwarding very slow (bsc#1229449). - Drop keycat binary that is not supported, except of the code that is used by other SELinux patches (bsc#1229072). - Fix RFC4256 implementation that keyboard-interactive authentication method can send instructions and sshd shows them to users (bsc#1229010). - Add attempts to mitigate instances of secrets lingering in memory after a session exits (bsc#1186673, bsc#1213004, bsc#1213008). - Remove empty line at the end of sshd-sle.pamd (bsc#1227456) The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-SLE-Micro-6.0-259 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2025/suse-su-202520160-1/ Link for SUSE-SU-2025:20160-1 https://lists.suse.com/pipermail/sle-security-updates/2025-June/021179.html E-Mail link for SUSE-SU-2025:20160-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1186673 SUSE Bug 1186673 https://bugzilla.suse.com/1213004 SUSE Bug 1213004 https://bugzilla.suse.com/1213008 SUSE Bug 1213008 https://bugzilla.suse.com/1221063 SUSE Bug 1221063 https://bugzilla.suse.com/1221928 SUSE Bug 1221928 https://bugzilla.suse.com/1222840 SUSE Bug 1222840 https://bugzilla.suse.com/1225904 SUSE Bug 1225904 https://bugzilla.suse.com/1227456 SUSE Bug 1227456 https://bugzilla.suse.com/1229010 SUSE Bug 1229010 https://bugzilla.suse.com/1229072 SUSE Bug 1229072 https://bugzilla.suse.com/1229449 SUSE Bug 1229449 https://bugzilla.suse.com/1236826 SUSE Bug 1236826 https://bugzilla.suse.com/1237040 SUSE Bug 1237040 https://bugzilla.suse.com/1237041 SUSE Bug 1237041 https://www.suse.com/security/cve/CVE-2025-26465/ SUSE CVE CVE-2025-26465 page https://www.suse.com/security/cve/CVE-2025-26466/ SUSE CVE CVE-2025-26466 page SUSE Linux Micro 6.0 openssh-9.6p1-3.1 openssh-clients-9.6p1-3.1 openssh-common-9.6p1-3.1 openssh-fips-9.6p1-3.1 openssh-server-9.6p1-3.1 openssh-server-config-rootlogin-9.6p1-3.1 openssh-9.6p1-3.1 as a component of SUSE Linux Micro 6.0 openssh-clients-9.6p1-3.1 as a component of SUSE Linux Micro 6.0 openssh-common-9.6p1-3.1 as a component of SUSE Linux Micro 6.0 openssh-fips-9.6p1-3.1 as a component of SUSE Linux Micro 6.0 openssh-server-9.6p1-3.1 as a component of SUSE Linux Micro 6.0 openssh-server-config-rootlogin-9.6p1-3.1 as a component of SUSE Linux Micro 6.0 A vulnerability was found in OpenSSH when the VerifyHostKeyDNS option is enabled. A machine-in-the-middle attack can be performed by a malicious machine impersonating a legit server. This issue occurs due to how OpenSSH mishandles error codes in specific conditions when verifying the host key. For an attack to be considered successful, the attacker needs to manage to exhaust the client's memory resource first, turning the attack complexity high. CVE-2025-26465 SUSE Linux Micro 6.0:openssh-9.6p1-3.1 SUSE Linux Micro 6.0:openssh-clients-9.6p1-3.1 SUSE Linux Micro 6.0:openssh-common-9.6p1-3.1 SUSE Linux Micro 6.0:openssh-fips-9.6p1-3.1 SUSE Linux Micro 6.0:openssh-server-9.6p1-3.1 SUSE Linux Micro 6.0:openssh-server-config-rootlogin-9.6p1-3.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520160-1/ https://www.suse.com/security/cve/CVE-2025-26465.html CVE-2025-26465 https://bugzilla.suse.com/1237040 SUSE Bug 1237040 https://bugzilla.suse.com/1237041 SUSE Bug 1237041 A flaw was found in the OpenSSH package. For each ping packet the SSH server receives, a pong packet is allocated in a memory buffer and stored in a queue of packages. It is only freed when the server/client key exchange has finished. A malicious client may keep sending such packages, leading to an uncontrolled increase in memory consumption on the server side. Consequently, the server may become unavailable, resulting in a denial of service attack. CVE-2025-26466 SUSE Linux Micro 6.0:openssh-9.6p1-3.1 SUSE Linux Micro 6.0:openssh-clients-9.6p1-3.1 SUSE Linux Micro 6.0:openssh-common-9.6p1-3.1 SUSE Linux Micro 6.0:openssh-fips-9.6p1-3.1 SUSE Linux Micro 6.0:openssh-server-9.6p1-3.1 SUSE Linux Micro 6.0:openssh-server-config-rootlogin-9.6p1-3.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520160-1/ https://www.suse.com/security/cve/CVE-2025-26466.html CVE-2025-26466 https://bugzilla.suse.com/1237041 SUSE Bug 1237041