Security update for openssh

Announcement ID:	SUSE-SU-2025:20226-1
Release Date:	2025-02-26T13:46:04Z
Rating:	important
References:	bsc#1227456 bsc#1229010 bsc#1229072 bsc#1229449 bsc#1236826 bsc#1237040 bsc#1237041
Cross-References:	CVE-2025-26465 CVE-2025-26466
CVSS scores:	CVE-2025-26465 ( SUSE ): 6.8 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N CVE-2025-26465 ( NVD ): 6.8 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N CVE-2025-26465 ( NVD ): 6.8 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N CVE-2025-26466 ( SUSE ): 8.2 CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N CVE-2025-26466 ( SUSE ): 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2025-26466 ( NVD ): 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2025-26466 ( NVD ): 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
Affected Products:	SUSE Linux Micro 6.1

An update that solves two vulnerabilities and has five fixes can now be installed.

Description:

This update for openssh fixes the following issues:

Security issues fixed:

• CVE-2025-26465: Fixed a MitM attack against OpenSSH's VerifyHostKeyDNS-enabled client (bsc#1237040)
• CVE-2025-26466: Fixed a DoS attack against OpenSSH's client and server (bsc#1237041)

Other issues fixed:

• Fix ssh client segfault with GSSAPIKeyExchange=yes in ssh_kex2 due to gssapi proposal not being correctly initialized (bsc#1236826).
• Add a patch to fix a regression introduced in 9.6 that makes X11 forwarding very slow. (bsc#1229449)
• Fixed RFC4256 implementation so that keyboard-interactive authentication method can send instructions and sshd shows them to users even before a prompt is requested. This fixes MFA push notifications (bsc#1229010).
• Fix a dbus connection leaked in the logind patch that was missing a sd_bus_unref call
• Add a patch that fixes a small memory leak when parsing the subsystem configuration option:
• Remove empty line at the end of sshd-sle.pamd (bsc#1227456)

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

• SUSE Linux Micro 6.1
  zypper in -t patch SUSE-SLE-Micro-6.1-21=1

Package List:

• SUSE Linux Micro 6.1 (aarch64 ppc64le s390x x86_64)
  • openssh-common-9.6p1-slfo.1.1_2.1
  • openssh-clients-debuginfo-9.6p1-slfo.1.1_2.1
  • openssh-debugsource-9.6p1-slfo.1.1_2.1
  • openssh-server-9.6p1-slfo.1.1_2.1
  • openssh-server-config-rootlogin-9.6p1-slfo.1.1_2.1
  • openssh-common-debuginfo-9.6p1-slfo.1.1_2.1
  • openssh-server-debuginfo-9.6p1-slfo.1.1_2.1
  • openssh-fips-9.6p1-slfo.1.1_2.1
  • openssh-debuginfo-9.6p1-slfo.1.1_2.1
  • openssh-clients-9.6p1-slfo.1.1_2.1
  • openssh-9.6p1-slfo.1.1_2.1

References:

• https://www.suse.com/security/cve/CVE-2025-26465.html
• https://www.suse.com/security/cve/CVE-2025-26466.html
• https://bugzilla.suse.com/show_bug.cgi?id=1227456
• https://bugzilla.suse.com/show_bug.cgi?id=1229010
• https://bugzilla.suse.com/show_bug.cgi?id=1229072
• https://bugzilla.suse.com/show_bug.cgi?id=1229449
• https://bugzilla.suse.com/show_bug.cgi?id=1236826
• https://bugzilla.suse.com/show_bug.cgi?id=1237040
• https://bugzilla.suse.com/show_bug.cgi?id=1237041