git.ipfire.org Git - ipfire-2.x.git/commit

author	Adolf Belka <adolf.belka@ipfire.org>
	Wed, 19 Feb 2025 13:30:43 +0000 (14:30 +0100)
committer	Michael Tremer <michael.tremer@ipfire.org>
	Wed, 19 Feb 2025 15:12:09 +0000 (15:12 +0000)
commit	28e698dd30ec0dc53a92a8e8fbbeffee1ca1479d
tree	f718b288e4debaab019809d84432439a625ef630	tree
parent	09dd8d7085448ea01637c9cd14d7a8b63e9036d0	commit \| diff

openssh: Update to version 9.9p2

- Update from version 9.9p1 to 9.9p2
- Update of rootfile not required
- Changelog
    9.9p2
Security
* Fix CVE-2025-26465 - ssh(1) in OpenSSH versions 6.8p1 to 9.9p1
  (inclusive) contained a logic error that allowed an on-path
  attacker (a.k.a MITM) to impersonate any server when the
  VerifyHostKeyDNS option is enabled. This option is off by default.
* Fix CVE-2025-26466 - sshd(8) in OpenSSH versions 9.5p1 to 9.9p1
  (inclusive) is vulnerable to a memory/CPU denial-of-service related
  to the handling of SSH2_MSG_PING packets. This condition may be
  mitigated using the existing PerSourcePenalties feature.
Both vulnerabilities were discovered and demonstrated to be exploitable
by the Qualys Security Advisory team. We thank them for their detailed
review of OpenSSH.
Bugfixes
* ssh(1), sshd(8): fix regression in Match directive that caused
   failures when predicates and their arguments were separated by '='
   characters instead of whitespace (bz3739).
* sshd(8): fix the "Match invalid-user" predicate, which was matching
   incorrectly in the initial pass of config evaluation.
* ssh(1), sshd(8), ssh-keyscan(1): fix mlkem768x25519-sha256 key
   exchange on big-endian systems.
* Fix a number of build problems on particular operating systems /
   configurations.

Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>