Explore top 10 tips to secure your open-source projects now. Read More
×OpenPubkey SSH is a tool which enables ssh to be used with OpenID Connect
allowing SSH access to be managed via identities like alice@example.com instead
of long-lived SSH keys.
Update Information:
Update to opkssh 0.15.0. This release fixes several CVEs in bundled/vendored dependencies: CVE-2026-39829: golang.org/x/crypto/ssh: Denial of Service via crafted public key with excessive parameters CVE-2026-39835: golang.org/x/crypto/ssh: Denial of Service via crafted SSH certificate CVE-2026-39833: golang.org/x/crypto/ssh/agent: Security bypass due to unenforced key confirmation CVE-2026-27145: golang crypto/x509: Denial of Service via excessive processing of DNS SAN entries (fixed via the Go toolchain used to build this package)
* Thu Jul 2 2026 Till Hofmann
[ 1 ] Bug #2490078 - CVE-2026-39829 opkssh: golang.org/x/crypto/ssh: Denial of Service via crafted public key with excessive parameters [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2490078
[ 2 ] Bug #2492509 - opkssh-0.15.0 is available
https://bugzilla.redhat.com/show_bug.cgi?id=2492509
[ 3 ] Bug #2493536 - CVE-2026-39835 opkssh: golang.org/x/crypto/ssh: Denial of Service via crafted SSH certificate [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2493536
[ 4 ] Bug #2494282 - CVE-2026-27145 opkssh: golang crypto/x509: Denial of Service via excessive processing of DNS SAN entries [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2494282
[ 5 ] Bug #2494472 - CVE-2026-39833 opkssh: golang.org/x/crypto/ssh/agent: Security bypass due to unenforced key confirmation [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2494472
This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2026-a7570524a7' at the command line. For more information, refer to the dnf documentation available at http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label
Get the latest Linux and open source security news straight to your inbox.