Tuesday, February 18, 2025

[USN-7270-1] OpenSSH vulnerabilities

-----BEGIN PGP SIGNATURE-----

wsF5BAABCAAjFiEEUMSg3c8x5FLOsZtRZWnYVadEvpMFAme01ssFAwAAAAAACgkQZWnYVadEvpNs
KRAAhJQveBrF6KEnQBzO+DqaLrJkoNFDzczOwgLify0aRkEqD3L9a4eZcn2eBUi0+W/12Ag19Peb
D4U/5PoVxrjbQ8jugDFCxvf80jsbMIe8V6qk6q2shyq/fKarnk91E0iZU7o3NNOT+f68yo8VWhHn
FU3DOkMsseHBPYD4QsUWkQCG9JIFWEMVi61porAVEySYOtFuoBJg5aZkyDRXtxLPczMrwvQ5u0mI
gSCbShx3DqSfy9kSpqxwjH+C7zqAIBnJQCmE9QomhmjiD7oc79IodgrypUIJEW/C8DWt/sPfGgCw
EfpzjgSIONn1YP3x+lfnl3eP7Wue5V9P9kDSdZ8PU6Ug7rxPlUxdEdrNlscWyb9kT3/yQg8w9kvy
ZKaoSHlPjoLmH/ldM+2nPHH9sz2jc7i0pWAsOPHO/lt1bEeXBW+a/5ICTh/RXIhoozLJ3XWTLpRT
jo7cw8G9usKvbNYQcfPee7mrPpERMwvFnpo1AU7MDWYpcRHs1g3WLyhU6AUfcy4j8L908l84M6w/
kIlTt/X1K3/8bYu4IUjMqI5dTdtmQjrmgFelkpaYRjibs4+RUsO23yQbARDg6TKZycBJ8O8GLnc6
S1WqZfeUlb8f+PwjPNQEl8WU1VwKBAxBLEgzlY6x8MLgzSuAGctC6e84E08w7a7K5AMHYKkiSTl6
Lo4=
=ynf7
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-7270-1
February 18, 2025

openssh vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 24.10
- Ubuntu 24.04 LTS
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS

Summary:

Several security issues were fixed in OpenSSH.

Software Description:
- openssh: secure shell (SSH) for secure access to remote machines

Details:

It was discovered that the OpenSSH client incorrectly handled the
non-default VerifyHostKeyDNS option. If that option were enabled, an
attacker could possibly impersonate a server by completely bypassing the
server identity check. (CVE-2025-26465)

It was discovered that OpenSSH incorrectly handled the transport-level ping
facility. A remote attacker could possibly use this issue to cause OpenSSH
clients and servers to consume resources, leading to a denial of service.
This issue only affected Ubuntu 24.04 LTS and Ubuntu 24.10.
(CVE-2025-26466)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 24.10
openssh-client 1:9.7p1-7ubuntu4.2
openssh-server 1:9.7p1-7ubuntu4.2

Ubuntu 24.04 LTS
openssh-client 1:9.6p1-3ubuntu13.8
openssh-server 1:9.6p1-3ubuntu13.8

Ubuntu 22.04 LTS
openssh-client 1:8.9p1-3ubuntu0.11
openssh-server 1:8.9p1-3ubuntu0.11

Ubuntu 20.04 LTS
openssh-client 1:8.2p1-4ubuntu0.12
openssh-server 1:8.2p1-4ubuntu0.12

In general, a standard system update will make all the necessary changes.

References:
https://ubuntu.com/security/notices/USN-7270-1
CVE-2025-26465, CVE-2025-26466

Package Information:
https://launchpad.net/ubuntu/+source/openssh/1:9.7p1-7ubuntu4.2
https://launchpad.net/ubuntu/+source/openssh/1:9.6p1-3ubuntu13.8
https://launchpad.net/ubuntu/+source/openssh/1:8.9p1-3ubuntu0.11
https://launchpad.net/ubuntu/+source/openssh/1:8.2p1-4ubuntu0.12

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)