Security update for openssh

Announcement ID:	SUSE-SU-2025:20160-1
Release Date:	2025-03-25T09:02:43Z
Rating:	important
References:	bsc#1186673 bsc#1213004 bsc#1213008 bsc#1221063 bsc#1221928 bsc#1222840 bsc#1225904 bsc#1227456 bsc#1229010 bsc#1229072 bsc#1229449 bsc#1236826 bsc#1237040 bsc#1237041
Cross-References:	CVE-2025-26465 CVE-2025-26466
CVSS scores:	CVE-2025-26465 ( SUSE ): 6.8 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N CVE-2025-26465 ( NVD ): 6.8 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N CVE-2025-26465 ( NVD ): 6.8 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N CVE-2025-26466 ( SUSE ): 8.2 CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N CVE-2025-26466 ( SUSE ): 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2025-26466 ( NVD ): 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2025-26466 ( NVD ): 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
Affected Products:	SUSE Linux Micro 6.0

An update that solves two vulnerabilities and has 12 fixes can now be installed.

Description:

This update for openssh fixes the following issues:

• CVE-2025-26465: Fixed MitM attack against OpenSSH's VerifyHostKeyDNS-enabled client (bsc#1237040).
• CVE-2025-26466: Fixed DoS attack against OpenSSH's client and server (bsc#1237041).

Other bugfixes:

• Fix ssh client segfault with GSSAPIKeyExchange=yes in ssh_kex2 due to gssapi proposal not being correctly initialized (bsc#1236826).
• Add #include <stdlib.h> in some files added by the ldap patch to fix build with gcc14 (bsc#1225904).
• Added missing struct initializer, added missing parameter (bsc#1222840).
• Remove OPENSSL_HAVE_EVPGCM-ifdef, which is no longer supported by upstream (bsc#1221928).
• Use %config(noreplace) for sshd_config. In any case, it's recommended to drop a file in sshd_config.d instead of editing sshd_config (bsc#1221063).
• Add a patch to fix a regression introduced in 9.6 that makes X11 forwarding very slow (bsc#1229449).
• Drop keycat binary that is not supported, except of the code that is used by other SELinux patches (bsc#1229072).
• Fix RFC4256 implementation that keyboard-interactive authentication method can send instructions and sshd shows them to users (bsc#1229010).
• Add attempts to mitigate instances of secrets lingering in memory after a session exits (bsc#1186673, bsc#1213004, bsc#1213008).
• Remove empty line at the end of sshd-sle.pamd (bsc#1227456)

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

• SUSE Linux Micro 6.0
  zypper in -t patch SUSE-SLE-Micro-6.0-259=1

Package List:

• SUSE Linux Micro 6.0 (aarch64 s390x x86_64)
  • openssh-9.6p1-3.1
  • openssh-clients-debuginfo-9.6p1-3.1
  • openssh-common-9.6p1-3.1
  • openssh-debugsource-9.6p1-3.1
  • openssh-server-debuginfo-9.6p1-3.1
  • openssh-debuginfo-9.6p1-3.1
  • openssh-server-config-rootlogin-9.6p1-3.1
  • openssh-clients-9.6p1-3.1
  • openssh-fips-9.6p1-3.1
  • openssh-common-debuginfo-9.6p1-3.1
  • openssh-server-9.6p1-3.1

References:

• https://www.suse.com/security/cve/CVE-2025-26465.html
• https://www.suse.com/security/cve/CVE-2025-26466.html
• https://bugzilla.suse.com/show_bug.cgi?id=1186673
• https://bugzilla.suse.com/show_bug.cgi?id=1213004
• https://bugzilla.suse.com/show_bug.cgi?id=1213008
• https://bugzilla.suse.com/show_bug.cgi?id=1221063
• https://bugzilla.suse.com/show_bug.cgi?id=1221928
• https://bugzilla.suse.com/show_bug.cgi?id=1222840
• https://bugzilla.suse.com/show_bug.cgi?id=1225904
• https://bugzilla.suse.com/show_bug.cgi?id=1227456
• https://bugzilla.suse.com/show_bug.cgi?id=1229010
• https://bugzilla.suse.com/show_bug.cgi?id=1229072
• https://bugzilla.suse.com/show_bug.cgi?id=1229449
• https://bugzilla.suse.com/show_bug.cgi?id=1236826
• https://bugzilla.suse.com/show_bug.cgi?id=1237040
• https://bugzilla.suse.com/show_bug.cgi?id=1237041