dockeruser
/
almalinux.org
mirror of https://github.com/AlmaLinux/almalinux.org.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
1938 Commits
18 Branches
0 Tags
457 MiB
Tree: 2a0dcffead
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '2a0dcffead'
${ noResults }
almalinux.org/content/blog/2025-02-20-test-patches-for...

63 lines
3.4 KiB
Raw Normal View History

CVE-2025-26465 blog
2 months ago
---
title: "Call for testing - OpenSSH CVE-2025-26465"
type: blog
author:
name: "Jonathan Wright"
bio: "Infrastructure SIG lead & ALESCo member"
image: /users/jonathan.jpg
date: '2025-02-20'
images:
- /blog-images/2025/2025-02-20-openssh-cve.png
post:
title: "Help us test patches for CVE-2025-26465, and see the current status of those patches"
image: /blog-images/2025/2025-02-20-openssh-cve.png
---
Earlier this week [Qualys announced](https://blog.qualys.com/vulnerabilities-threat-research/2025/02/18/qualys-tru-discovers-two-vulnerabilities-in-openssh-cve-2025-26465-cve-2025-26466) two critical vulnerabilities for OpenSSH - CVE-2025-26465 and 2025-26466. We are looking for helping testing the patches for CVE-2025-26465.
> The Qualys Threat Research Unit (TRU) has identified two vulnerabilities in OpenSSH. The first, tracked as CVE-2025-26465, allows an active machine-in-the-middle attack on the OpenSSH client when the VerifyHostKeyDNS option is enabled. The second, CVE-2025-26466, affects both the OpenSSH client and server, enabling a pre-authentication denial-of-service attack.
**Neither RHEL nor AlmaLinux** is impacted by [CVE-2025-26466](https://access.redhat.com/security/cve/CVE-2025-26466) in any way.
However, both AlmaLinux 8 and 9 are impacted by CVE-2025-26465. While it is not yet patched in [RHEL 9](https://access.redhat.com/security/cve/CVE-2025-26465), and is considered out of scope for RHEL 8, some of our users are asking us to patch this for their own security. As a result, we have pulled in the upstream patches and are asking users to test the updates.
## Installing the patched versions of OpenSSH on AlmaLinux
It only takes a few steps to install and test the patched version of OpenSSH in the testing repo.
**Install the testing repo**
```bash
dnf install -y almalinux-release-testing
```
**Then update openssh:**
```bash
dnf update openssh
```
**Confirm you have the patched version of OpenSSH**
```bash
rpm -qa openssh
```
You should see a version matching or higher than the ones below, depending on when you do the installation of the patches.
- AlmaLinux 8 - ```openssh-8.0p1-25.el8_10.alma.1 ```
- AlmaLinux 9 - ```openssh-8.7p1-43.el9.alma.1 ```
Note: We don't recommend that you keep the testing repo enabled after you've updated OpenSSH, unless you've done this on a truly non-production environment. If this is a production environment, you can disable the repo with this command:
```bash
dnf config-manager --disable almalinux-testing
```
If you encounter problems, please let us know as soon as you can, either in [AlmaLinux chat](https://chat.almalinux.org), on [bugs.almalinux.org](https://bugs.almalinux.org), or by emailing [packager@almalinux.org](packager@almalinux.org).
## Thanks to our community
Security is a priority at AlmaLinux, and once again we're patching something we know to be important to our community. This is part of the freedom that comes with being a community-powered Red Hat equivalent operating system. We appreciate the members of our community that reported their feelings about this and other updates, worked to fix the problems, and have ever participated in testing our security updates.
If you have any interest in helping us test updates like this in the future, join our [chat](https://chat.almalinux.org), join our [forums](https://forums.almalinux.org/), and keep your eyes open! We'll be looking for contributions to our OpenQA testing later this year, too!