Все бюллетени/sisyphus_riscv64/ALT-PU-2025-3237-1
ALT-PU-2025-3237-1

Обновление пакета openssh в ветке sisyphus_riscv64

Версия9.6p1-alt3
Задание#0
Опубликовано2025-02-20
Макс. серьёзностьMEDIUM
Серьёзность:

Закрытые проблемы (2)

CVE-2025-26465
MEDIUM6.8

A vulnerability was found in OpenSSH when the VerifyHostKeyDNS option is enabled. A machine-in-the-middle attack can be performed by a malicious machine impersonating a legit server. This issue occurs due to how OpenSSH mishandles error codes in specific conditions when verifying the host key. For an attack to be considered successful, the attacker needs to manage to exhaust the client's memory resource first, turning the attack complexity high.

Опубликовано: 2025-02-18Изменено: 2025-11-03
CVSS 3.xСРЕДНЯЯ 6.8
CVSS:3.x/CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N
Ссылки
CVE-2025-26466
MEDIUM5.9

A flaw was found in the OpenSSH package. For each ping packet the SSH server receives, a pong packet is allocated in a memory buffer and stored in a queue of packages. It is only freed when the server/client key exchange has finished. A malicious client may keep sending such packages, leading to an uncontrolled increase in memory consumption on the server side. Consequently, the server may become unavailable, resulting in a denial of service attack.

Опубликовано: 2025-02-28Изменено: 2026-02-10
CVSS 3.xСРЕДНЯЯ 5.9
CVSS:3.x/CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
Ссылки