-
Notifications
You must be signed in to change notification settings - Fork 56
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #772 from AlmaLinux/CVE-2025-26465_blog
CVE-2025-26465 blog
- Loading branch information
Showing
3 changed files
with
64 additions
and
1 deletion.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
63 changes: 63 additions & 0 deletions
63
content/blog/2025-02-20-test-patches-for-CVE-2025-26465.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,63 @@ | ||
| --- | ||
| title: "Call for testing - OpenSSH CVE-2025-26465" | ||
| type: blog | ||
| author: | ||
| name: "Jonathan Wright" | ||
| bio: "Infrastructure SIG lead & ALESCo member" | ||
| image: /users/jonathan.jpg | ||
| date: '2025-02-20' | ||
| images: | ||
| - /blog-images/2025/2025-02-20-openssh-cve.png | ||
| post: | ||
| title: "Help us test patches for CVE-2025-26465, and see the current status of those patches" | ||
| image: /blog-images/2025/2025-02-20-openssh-cve.png | ||
| --- | ||
|
|
||
| Earlier this week [Qualys announced](https://blog.qualys.com/vulnerabilities-threat-research/2025/02/18/qualys-tru-discovers-two-vulnerabilities-in-openssh-cve-2025-26465-cve-2025-26466) two critical vulnerabilities for OpenSSH - CVE-2025-26465 and 2025-26466. We are looking for helping testing the patches for CVE-2025-26465. | ||
|
|
||
| > The Qualys Threat Research Unit (TRU) has identified two vulnerabilities in OpenSSH. The first, tracked as CVE-2025-26465, allows an active machine-in-the-middle attack on the OpenSSH client when the VerifyHostKeyDNS option is enabled. The second, CVE-2025-26466, affects both the OpenSSH client and server, enabling a pre-authentication denial-of-service attack. | ||
| **Neither RHEL nor AlmaLinux** is impacted by [CVE-2025-26466](https://access.redhat.com/security/cve/CVE-2025-26466) in any way. | ||
|
|
||
| However, both AlmaLinux 8 and 9 are impacted by CVE-2025-26465. While it is not yet patched in [RHEL 9](https://access.redhat.com/security/cve/CVE-2025-26465), and is considered out of scope for RHEL 8, some of our users are asking us to patch this for their own security. As a result, we have pulled in the upstream patches and are asking users to test the updates. | ||
|
|
||
| ## Installing the patched versions of OpenSSH on AlmaLinux | ||
| It only takes a few steps to install and test the patched version of OpenSSH in the testing repo. | ||
|
|
||
| **Install the testing repo** | ||
|
|
||
| ```bash | ||
| dnf install -y almalinux-release-testing | ||
| ``` | ||
|
|
||
| **Then update openssh:** | ||
|
|
||
| ```bash | ||
| dnf update openssh | ||
| ``` | ||
|
|
||
| **Confirm you have the patched version of OpenSSH** | ||
|
|
||
| ```bash | ||
| rpm -qa openssh | ||
| ``` | ||
|
|
||
| You should see a version matching or higher than the ones below, depending on when you do the installation of the patches. | ||
|
|
||
| - AlmaLinux 8 - ```openssh-8.0p1-25.el8_10.alma.1 ``` | ||
| - AlmaLinux 9 - ```openssh-8.7p1-43.el9.alma.1 ``` | ||
|
|
||
| Note: We don't recommend that you keep the testing repo enabled after you've updated OpenSSH, unless you've done this on a truly non-production environment. If this is a production environment, you can disable the repo with this command: | ||
|
|
||
| ```bash | ||
| dnf config-manager --disable almalinux-testing | ||
| ``` | ||
|
|
||
| If you encounter problems, please let us know as soon as you can, either in [AlmaLinux chat](https://chat.almalinux.org), on [bugs.almalinux.org](https://bugs.almalinux.org), or by emailing [packager@almalinux.org](packager@almalinux.org). | ||
|
|
||
|
|
||
| ## Thanks to our community | ||
|
|
||
| Security is a priority at AlmaLinux, and once again we're patching something we know to be important to our community. This is part of the freedom that comes with being a community-powered Red Hat equivalent operating system. We appreciate the members of our community that reported their feelings about this and other updates, worked to fix the problems, and have ever participated in testing our security updates. | ||
|
|
||
| If you have any interest in helping us test updates like this in the future, join our [chat](https://chat.almalinux.org), join our [forums](https://forums.almalinux.org/), and keep your eyes open! We'll be looking for contributions to our OpenQA testing later this year, too! |
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.