6
two OpenSSH vulnerabilities fixed: one allowed MITM against clients which had enabled VerifyHostKeyDNS, the other allowed pre-auth DoS (blog.qualys.com)
submitted 1 day ago by cypherpunks@lemmy.ml to c/selfhost@lemmy.ml
0 comments fedilink hide all child comments

cross-posted from: https://lemmy.ml/post/26304038

from the OpenSSH 9.9p2 release announcement:


This release fixes two security bugs.

Security
========

* Fix CVE-2025-26465 - ssh(1) in OpenSSH versions 6.8p1 to 9.9p1
  (inclusive) contained a logic error that allowed an on-path
  attacker (a.k.a MITM) to impersonate any server when the
  VerifyHostKeyDNS option is enabled. This option is off by default.

* Fix CVE-2025-26466 - sshd(8) in OpenSSH versions 9.5p1 to 9.9p1
  (inclusive) is vulnerable to a memory/CPU denial-of-service related
  to the handling of SSH2_MSG_PING packets. This condition may be
  mitigated using the existing PerSourcePenalties feature.

Both vulnerabilities were discovered and demonstrated to be exploitable
by the Qualys Security Advisory team. We thank them for their detailed
review of OpenSSH.
no comments (yet)
sorted by: hot top controversial new old
there doesn't seem to be anything here
this post was submitted on 21 Feb 2025
6 points (100.0% liked)

Self Hosted - Self-hosting your services.

11599 readers
26 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules

Important

Beginning of January 1st 2024 this rule WILL be enforced. Posts that are not tagged will be warned and if not fixed within 24h then removed!

Cross-posting

If you see a rule-breaker please DM the mods!

founded 3 years ago
MODERATORS
dogmuffins@lemmy.ml
Zoe8338@lemmy.ml
testman@lemmy.ml