From mboxrd@z Thu Jan 1 00:00:00 1970 From: Michael Tremer To: development@lists.ipfire.org Subject: Re: [PATCH] openssh: Update to version 9.9p2 Date: Wed, 19 Feb 2025 15:36:29 +0000 Message-ID: <29AF51DB-9418-44F4-AF85-983EF9FD3CB3@ipfire.org> In-Reply-To: <20250219133044.3222870-1-adolf.belka@ipfire.org> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============7792560940885023645==" List-Id: --===============7792560940885023645== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Thank you. I merged this patch into Core Update 192. I don=E2=80=99t think these are that hot for us, but let=E2=80=99s rather be = safe than sorry. -Michael > On 19 Feb 2025, at 13:30, Adolf Belka wrote: >=20 > - Update from version 9.9p1 to 9.9p2 > - Update of rootfile not required > - Changelog > 9.9p2 > Security > * Fix CVE-2025-26465 - ssh(1) in OpenSSH versions 6.8p1 to 9.9p1 > (inclusive) contained a logic error that allowed an on-path > attacker (a.k.a MITM) to impersonate any server when the > VerifyHostKeyDNS option is enabled. This option is off by default. > * Fix CVE-2025-26466 - sshd(8) in OpenSSH versions 9.5p1 to 9.9p1 > (inclusive) is vulnerable to a memory/CPU denial-of-service related > to the handling of SSH2_MSG_PING packets. This condition may be > mitigated using the existing PerSourcePenalties feature. > Both vulnerabilities were discovered and demonstrated to be exploitable > by the Qualys Security Advisory team. We thank them for their detailed > review of OpenSSH. > Bugfixes > * ssh(1), sshd(8): fix regression in Match directive that caused > failures when predicates and their arguments were separated by '=3D' > characters instead of whitespace (bz3739). > * sshd(8): fix the "Match invalid-user" predicate, which was matching > incorrectly in the initial pass of config evaluation. > * ssh(1), sshd(8), ssh-keyscan(1): fix mlkem768x25519-sha256 key > exchange on big-endian systems. > * Fix a number of build problems on particular operating systems / > configurations. >=20 > Signed-off-by: Adolf Belka > --- > lfs/openssh | 6 +++--- > 1 file changed, 3 insertions(+), 3 deletions(-) >=20 > diff --git a/lfs/openssh b/lfs/openssh > index b1c9a1635..f2165a96d 100644 > --- a/lfs/openssh > +++ b/lfs/openssh > @@ -1,7 +1,7 @@ > ###########################################################################= #### > # = # > # IPFire.org - A linux based firewall = # > -# Copyright (C) 2007-2024 IPFire Team = # > +# Copyright (C) 2007-2025 IPFire Team = # > # = # > # This program is free software: you can redistribute it and/or modify = # > # it under the terms of the GNU General Public License as published by = # > @@ -24,7 +24,7 @@ >=20 > include Config >=20 > -VER =3D 9.9p1 > +VER =3D 9.9p2 >=20 > THISAPP =3D openssh-$(VER) > DL_FILE =3D $(THISAPP).tar.gz > @@ -40,7 +40,7 @@ objects =3D $(DL_FILE) >=20 > $(DL_FILE) =3D $(DL_FROM)/$(DL_FILE) >=20 > -$(DL_FILE)_BLAKE2 =3D 817d267e42b8be74a13e0cfd7999bdb4dab6355c7f62c1a4dd89= adad310c5fb7fe3f17109ce1a36cd269a3639c1b8f1d18330c615ab3b419253ec027cfa20997 > +$(DL_FILE)_BLAKE2 =3D 1b5bc09482b3a807ccfee52c86c6be3c363acf0c8e774862e0ae= 64f76bfeb4ce7cf29b3ed2f99c04c89bb4977da0cf50a7a175b15bf1d9925de1e03c66f8306d >=20 > install : $(TARGET) >=20 > --=20 > 2.48.1 >=20 --===============7792560940885023645==--