Security

5219 readers

1 users here now

Confidentiality Integrity Availability

founded 5 years ago

MODERATORS

two OpenSSH vulnerabilities fixed: one allowed MITM against clients which had enabled VerifyHostKeyDNS, the other allowed pre-auth DoS (blog.qualys.com)

submitted 1 day ago by cypherpunks@lemmy.ml to c/security@lemmy.ml

0 comments fedilink hide all child comments

from the OpenSSH 9.9p2 release announcement:


This release fixes two security bugs.

Security
========

* Fix CVE-2025-26465 - ssh(1) in OpenSSH versions 6.8p1 to 9.9p1
  (inclusive) contained a logic error that allowed an on-path
  attacker (a.k.a MITM) to impersonate any server when the
  VerifyHostKeyDNS option is enabled. This option is off by default.

* Fix CVE-2025-26466 - sshd(8) in OpenSSH versions 9.5p1 to 9.9p1
  (inclusive) is vulnerable to a memory/CPU denial-of-service related
  to the handling of SSH2_MSG_PING packets. This condition may be
  mitigated using the existing PerSourcePenalties feature.

Both vulnerabilities were discovered and demonstrated to be exploitable
by the Qualys Security Advisory team. We thank them for their detailed
review of OpenSSH.

no comments (yet)

sorted by: hot top controversial new old

there doesn't seem to be anything here