Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Deepin Integration]~[V23-Release] Update to 9.9p2, fixes CVE-2025-26465, CVE-2025-26466 by UTsweetyfish@deepin-community/openssh by deepin-community-ci-bot[bot] #11301

Open
deepin-bot bot opened this issue Feb 18, 2025 · 4 comments
Open

[Deepin Integration]~[V23-Release] Update to 9.9p2, fixes CVE-2025-26465, CVE-2025-26466 by UTsweetyfish@deepin-community/openssh by deepin-community-ci-bot[bot] #11301

deepin-bot bot opened this issue Feb 18, 2025 · 4 comments
Assignees
@Zeno-sole
Labels
23 25 25 版本特性功能 Project:integrated 集成管理相关 security
Milestone
V23-Release

Comments

@deepin-bot
Copy link

deepin-bot bot commented Feb 18, 2025

Package information | 软件包信息

包名 版本
openssh 1:9.9p2-0deepin1

Package repository address | 软件包仓库地址

deb [trusted=yes] https://ci.deepin.com/repo/obs/deepin:/CI:/TestingIntegration:/test-integration-pr-2600/testing/ ./

Changelog | 更新信息

openssh (1:9.9p2-0deepin1) unstable; urgency=medium
@deepin-bot deepin-bot bot added the Project:integrated 集成管理相关 label Feb 18, 2025
@deepin-bot deepin-bot bot added this to the V23-Release milestone Feb 18, 2025
@deepin-bot deepin-bot bot moved this to In progress in v23-集成管理 Feb 18, 2025
@deepin-bot
Copy link
Author

deepin-bot bot commented Feb 18, 2025
edited by UTsweetyfish
Loading

Integration Test Info

Test suggestion | 测试建议

Influence | 影响范围

ADDITIONAL INFORMATION | 额外补充

Qualys 安全公告:OpenSSH 存在两个新漏洞

Qualys 安全团队近期发现了 OpenSSH 中的两个新漏洞,分别涉及中间人攻击(MitM)和拒绝服务攻击(DoS)。以下是漏洞的详细说明:

  1. CVE-2025-26465:OpenSSH 客户端中间人攻击漏洞

    • 当 OpenSSH 客户端的 VerifyHostKeyDNS 选项启用时(默认关闭),攻击者可以通过中间人攻击完全绕过客户端对服务器身份的验证,从而冒充服务器。
    • 无论 VerifyHostKeyDNS 设置为 "yes" 还是 "ask"(默认是 "no"),攻击都能成功,且无需用户交互。即使服务器没有 SSHFP 资源记录(存储在 DNS 中的 SSH 指纹),攻击依然有效。
    • 该漏洞于 2014 年 12 月引入,影响范围广泛。尽管默认情况下 VerifyHostKeyDNS 是关闭的,但在某些系统(如 FreeBSD)中,该选项曾默认启用。

  2. CVE-2025-26466:OpenSSH 客户端和服务器的拒绝服务攻击漏洞

    • OpenSSH 客户端和服务器在认证前容易受到资源消耗型拒绝服务攻击,攻击者可以消耗大量内存和 CPU 资源。
    • 该漏洞于 2023 年 8 月引入,影响 OpenSSH 9.5p1 及之后的版本。
    • 服务器端可以通过现有的机制(如 LoginGraceTime、MaxStartups 和 PerSourcePenalties)缓解此攻击。

背景信息:
OpenSSH 的代码中存在一些常见的编程模式,例如在函数开始时初始化返回值为非零错误代码,以防止函数错误地返回成功状态。这种模式在漏洞分析中被发现存在潜在风险。

建议:

  • 对于 CVE-2025-26465,建议用户检查并确保 VerifyHostKeyDNS 选项未启用,除非有明确需求。
  • 对于 CVE-2025-26466,建议更新到最新版本的 OpenSSH,并配置适当的防护机制。

https://www.qualys.com/2025/02/18/openssh-mitm-dos.txt

@deepin-bot
Copy link
Author

deepin-bot bot commented Feb 18, 2025

IntegrationProjector Notify the author
@UTsweetyfish: Integrated issue updated

@github-actions github-actions bot mentioned this issue Feb 18, 2025
Open
@deepin-bot
Copy link
Author

deepin-bot bot commented Feb 18, 2025

IntegrationProjector Bot
Deepin Testing Integration Project Manager Info
Link to deepin-community/Repository-Integration#2600

@UTsweetyfish UTsweetyfish added security 25 25 版本特性功能 23 labels Feb 18, 2025
@Zeno-sole Zeno-sole assigned babyfengfjx and unassigned Zeno-sole and hudeng-go Feb 18, 2025
@xuqi27837288 xuqi27837288 moved this from In progress to 测试通过 in v23-集成管理 Feb 20, 2025
@xuqi27837288
Copy link

【验证环境】:deepin 25
https://cdimage.uniontech.com/daily-iso/image-beige/CUSTOM/lichenggang/20250217/deepin-25-beige-immutable-amd64-20250217-173203.iso
内核:Linux test-PC 6.12.1-amd64-desktop-hwe
【验证结果】:集成测试通过

@Zeno-sole Zeno-sole moved this from 测试通过 to 已集成 in v23-集成管理 Feb 20, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@Zeno-sole Zeno-sole

Labels
23 25 25 版本特性功能 Project:integrated 集成管理相关 security
Projects
v23-集成管理
Status: 已集成
Milestone
V23-Release
Development

No branches or pull requests
5 participants
@babyfengfjx @Zeno-sole @xuqi27837288 @hudeng-go @UTsweetyfish