openssh: Update to version 9.9p2
Commit Message
- Update from version 9.9p1 to 9.9p2
- Update of rootfile not required
- Changelog
9.9p2
Security
* Fix CVE-2025-26465 - ssh(1) in OpenSSH versions 6.8p1 to 9.9p1
(inclusive) contained a logic error that allowed an on-path
attacker (a.k.a MITM) to impersonate any server when the
VerifyHostKeyDNS option is enabled. This option is off by default.
* Fix CVE-2025-26466 - sshd(8) in OpenSSH versions 9.5p1 to 9.9p1
(inclusive) is vulnerable to a memory/CPU denial-of-service related
to the handling of SSH2_MSG_PING packets. This condition may be
mitigated using the existing PerSourcePenalties feature.
Both vulnerabilities were discovered and demonstrated to be exploitable
by the Qualys Security Advisory team. We thank them for their detailed
review of OpenSSH.
Bugfixes
* ssh(1), sshd(8): fix regression in Match directive that caused
failures when predicates and their arguments were separated by '='
characters instead of whitespace (bz3739).
* sshd(8): fix the "Match invalid-user" predicate, which was matching
incorrectly in the initial pass of config evaluation.
* ssh(1), sshd(8), ssh-keyscan(1): fix mlkem768x25519-sha256 key
exchange on big-endian systems.
* Fix a number of build problems on particular operating systems /
configurations.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
---
lfs/openssh | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
Comments
Thank you. I merged this patch into Core Update 192.
I don’t think these are that hot for us, but let’s rather be safe than sorry.
-Michael
> On 19 Feb 2025, at 13:30, Adolf Belka <adolf.belka@ipfire.org> wrote:
>
> - Update from version 9.9p1 to 9.9p2
> - Update of rootfile not required
> - Changelog
> 9.9p2
> Security
> * Fix CVE-2025-26465 - ssh(1) in OpenSSH versions 6.8p1 to 9.9p1
> (inclusive) contained a logic error that allowed an on-path
> attacker (a.k.a MITM) to impersonate any server when the
> VerifyHostKeyDNS option is enabled. This option is off by default.
> * Fix CVE-2025-26466 - sshd(8) in OpenSSH versions 9.5p1 to 9.9p1
> (inclusive) is vulnerable to a memory/CPU denial-of-service related
> to the handling of SSH2_MSG_PING packets. This condition may be
> mitigated using the existing PerSourcePenalties feature.
> Both vulnerabilities were discovered and demonstrated to be exploitable
> by the Qualys Security Advisory team. We thank them for their detailed
> review of OpenSSH.
> Bugfixes
> * ssh(1), sshd(8): fix regression in Match directive that caused
> failures when predicates and their arguments were separated by '='
> characters instead of whitespace (bz3739).
> * sshd(8): fix the "Match invalid-user" predicate, which was matching
> incorrectly in the initial pass of config evaluation.
> * ssh(1), sshd(8), ssh-keyscan(1): fix mlkem768x25519-sha256 key
> exchange on big-endian systems.
> * Fix a number of build problems on particular operating systems /
> configurations.
>
> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
> ---
> lfs/openssh | 6 +++---
> 1 file changed, 3 insertions(+), 3 deletions(-)
>
> diff --git a/lfs/openssh b/lfs/openssh
> index b1c9a1635..f2165a96d 100644
> --- a/lfs/openssh
> +++ b/lfs/openssh
> @@ -1,7 +1,7 @@
> ###############################################################################
> # #
> # IPFire.org - A linux based firewall #
> -# Copyright (C) 2007-2024 IPFire Team <info@ipfire.org> #
> +# Copyright (C) 2007-2025 IPFire Team <info@ipfire.org> #
> # #
> # This program is free software: you can redistribute it and/or modify #
> # it under the terms of the GNU General Public License as published by #
> @@ -24,7 +24,7 @@
>
> include Config
>
> -VER = 9.9p1
> +VER = 9.9p2
>
> THISAPP = openssh-$(VER)
> DL_FILE = $(THISAPP).tar.gz
> @@ -40,7 +40,7 @@ objects = $(DL_FILE)
>
> $(DL_FILE) = $(DL_FROM)/$(DL_FILE)
>
> -$(DL_FILE)_BLAKE2 = 817d267e42b8be74a13e0cfd7999bdb4dab6355c7f62c1a4dd89adad310c5fb7fe3f17109ce1a36cd269a3639c1b8f1d18330c615ab3b419253ec027cfa20997
> +$(DL_FILE)_BLAKE2 = 1b5bc09482b3a807ccfee52c86c6be3c363acf0c8e774862e0ae64f76bfeb4ce7cf29b3ed2f99c04c89bb4977da0cf50a7a175b15bf1d9925de1e03c66f8306d
>
> install : $(TARGET)
>
> --
> 2.48.1
>
@@ -1,7 +1,7 @@
###############################################################################
# #
# IPFire.org - A linux based firewall #
-# Copyright (C) 2007-2024 IPFire Team <info@ipfire.org> #
+# Copyright (C) 2007-2025 IPFire Team <info@ipfire.org> #
# #
# This program is free software: you can redistribute it and/or modify #
# it under the terms of the GNU General Public License as published by #
@@ -24,7 +24,7 @@
include Config
-VER = 9.9p1
+VER = 9.9p2
THISAPP = openssh-$(VER)
DL_FILE = $(THISAPP).tar.gz
@@ -40,7 +40,7 @@ objects = $(DL_FILE)
$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
-$(DL_FILE)_BLAKE2 = 817d267e42b8be74a13e0cfd7999bdb4dab6355c7f62c1a4dd89adad310c5fb7fe3f17109ce1a36cd269a3639c1b8f1d18330c615ab3b419253ec027cfa20997
+$(DL_FILE)_BLAKE2 = 1b5bc09482b3a807ccfee52c86c6be3c363acf0c8e774862e0ae64f76bfeb4ce7cf29b3ed2f99c04c89bb4977da0cf50a7a175b15bf1d9925de1e03c66f8306d
install : $(TARGET)