ELSA-2025-16823

Опубликовано: 26 сент. 2025

Источник: oracle-oval

Платформа: Oracle Linux 8

Описание

ELSA-2025-16823: openssh security update (MODERATE)

[8.0p1-26.0.1]

Update upstream references [Orabug: 36587718]

[8.0p1-26]

Fix missing invalid error code checks in OpenSSH. It prevents a MITM attack when VerifyHostKeyDNS is on (CVE-2025-26465) Resolves: RHEL-109228

Обновленные пакеты

Oracle Linux 8

Oracle Linux aarch64

openssh

8.0p1-26.0.1.el8_10

openssh-askpass

8.0p1-26.0.1.el8_10

openssh-cavs

8.0p1-26.0.1.el8_10

openssh-clients

8.0p1-26.0.1.el8_10

openssh-keycat

8.0p1-26.0.1.el8_10

openssh-ldap

8.0p1-26.0.1.el8_10

openssh-server

8.0p1-26.0.1.el8_10

pam_ssh_agent_auth

0.10.3-7.26.0.1.el8_10

Oracle Linux x86_64

openssh

8.0p1-26.0.1.el8_10

openssh-askpass

8.0p1-26.0.1.el8_10

openssh-cavs

8.0p1-26.0.1.el8_10

openssh-clients

8.0p1-26.0.1.el8_10

openssh-keycat

8.0p1-26.0.1.el8_10

openssh-ldap

8.0p1-26.0.1.el8_10

openssh-server

8.0p1-26.0.1.el8_10

pam_ssh_agent_auth

0.10.3-7.26.0.1.el8_10

Связанные CVE

CVE-2025-26465

Ссылки на источники

Связанные уязвимости

CVE-2025-26465

CVSS3: 6.8

ubuntu

9 месяцев назад

A vulnerability was found in OpenSSH when the VerifyHostKeyDNS option is enabled. A machine-in-the-middle attack can be performed by a malicious machine impersonating a legit server. This issue occurs due to how OpenSSH mishandles error codes in specific conditions when verifying the host key. For an attack to be considered successful, the attacker needs to manage to exhaust the client's memory resource first, turning the attack complexity high.