Alerts This Week
Warning Icon 1 640
Alerts This Week
Warning Icon 1 640

SUSE: 2025:20160-1 important: openssh MitM and DoS issues

suse
Calendar Grey June 4, 2025
Dist Suse Esm H88
Vital OpenSSH refresh for SUSE Linux Micro tackling significant vulnerabilities and numerous defect corrections.
* bsc#1186673 * bsc#1213004 * bsc#1213008 * bsc#1221063 * bsc#1221928

Summary

## This update for openssh fixes the following issues: * CVE-2025-26465: Fixed MitM attack against OpenSSH's VerifyHostKeyDNS-enabled client (bsc#1237040). * CVE-2025-26466: Fixed DoS attack against OpenSSH's client and server (bsc#1237041). Other bugfixes: * Fix ssh client segfault with GSSAPIKeyExchange=yes in ssh_kex2 due to gssapi proposal not being correctly initialized (bsc#1236826). * Add #include in some files added by the ldap patch to fix build with gcc14 (bsc#1225904). * Added missing struct initializer, added missing parameter (bsc#1222840). * Remove OPENSSL_HAVE_EVPGCM-ifdef, which is no longer supported by upstream (bsc#1221928). * Use %config(noreplace) for sshd_config. In any case, it's recommended to

References

* bsc#1186673

* bsc#1213004

* bsc#1213008

* bsc#1221063

* bsc#1221928

* bsc#1222840

* bsc#1225904

* bsc#1227456

* bsc#1229010

* bsc#1229072

* bsc#1229449

* bsc#1236826

* bsc#1237040

* bsc#1237041

Cross-

* CVE-2025-26465

* CVE-2025-26466

CVSS scores:

* CVE-2025-26465 ( SUSE ): 6.8 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N

* CVE-2025-26465 ( NVD ): 6.8 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N

* CVE-2025-26465 ( NVD ): 6.8 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N

* CVE-2025-26466 ( SUSE ): 8.2

CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

* CVE-2025-26466 ( SUSE ): 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

* CVE-2025-26466 ( NVD ): 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

Severity
important
Lowest
Low
Medium
High
Critical

Announcement ID: SUSE-SU-2025:20160-1
Release Date: 2025-03-25T09:02:43Z
Rating: important

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Your message here