Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

update: openssh #1654

Open
dongsupark opened this issue Feb 18, 2025 · 3 comments
Open

update: openssh #1654

dongsupark opened this issue Feb 18, 2025 · 3 comments
Labels
advisory security advisory security security concerns

Comments

@dongsupark
Copy link
Member

dongsupark commented Feb 18, 2025
edited
Loading

Name: openssh
CVEs: CVE-2025-26465, CVE-2025-26466
CVSSs: n/a, n/a (probably medium)
Action Needed: update to >= 9.9_p2

Summary:

  • CVE-2025-26465: The OpenSSH client is vulnerable to an active machine-in-the-middle attack if the VerifyHostKeyDNS option is enabled (it is disabled by default): when a vulnerable client connects to a server, an active machine-in-the-middle can impersonate the server by completely bypassing the client's checks of the server's identity.
  • CVE-2025-26466: A flaw was found in the OpenSSH package. For each ping packet the SSH server receives, a pong packet is allocated in a memory buffer and stored in a queue of packages. It is only freed when the server/client key exchange has finished. A malicious client may keep sending such packages, leading to an uncontrolled increase in memory consumption on the server side. Consequently, the server may become unavailable, resulting in a denial of service attack.

See also https://seclists.org/oss-sec/2025/q1/144.

refmap.gentoo: https://bugs.gentoo.org/949904
@dongsupark dongsupark added advisory security advisory security security concerns labels Feb 18, 2025
@dongsupark dongsupark moved this from 📝 Needs Triage to 🌱 Upcoming / Focus in Flatcar tactical, release planning, and roadmap Feb 18, 2025
@dongsupark dongsupark moved this from 🌱 Upcoming / Focus to ⚒️ In Progress in Flatcar tactical, release planning, and roadmap Feb 18, 2025
@dongsupark dongsupark moved this from ⚒️ In Progress to ✅ Testing / in Review in Flatcar tactical, release planning, and roadmap Feb 18, 2025
@tmsdce
Copy link

tmsdce commented Feb 18, 2025

Hi @dongsupark

I see that a new version of Flatcar stable (4152.2.1) was just released. It mentions that the two CVEs has been fixed but the version of openssh shipped with the new release is not 9.9_p2 (which fixes the CVEs) but 9.8_p1-r4. This is confirmed by the version shown in one of my node running stable

# ssh -V
OpenSSH_9.8p1, OpenSSL 3.2.3 3 Sep 2024

This is quite confusing. Are the two CVEs actually patched ?

@t-lo
Copy link
Member

t-lo commented Feb 20, 2025

Hello @tmsdce , thank you for bringing this up. For security releases we only include the absolute minimum of changes necessary to address the issue. This ensures a low-risk release (no build or test breakage which would delay the release) as well as a low-risk upgrade (i.e. no side effects in production) for our users. Therefore, we did not upgrade to a new OpenSSH release that might ship unrelated changes; instead, we just applied patches for the security issues (signified by the package release version bump; -r3 -> -r4. The CVEs are patched.

@tmsdce
Copy link

tmsdce commented Feb 20, 2025

Thanks for your reply @t-lo
This makes sense 👍

@github-actions github-actions bot mentioned this issue Feb 22, 2025
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
advisory security advisory security security concerns
Projects
Flatcar tactical, release planning, and roadmap
Status: Testing / in Review
Milestone
No milestone
Development

No branches or pull requests
3 participants
@t-lo @dongsupark @tmsdce