Debian has issued an advisory on February 18:
https://lists.debian.org/debian-security-announce/2025/msg00030.html

Fedora has issued an advisory on February 19:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/STTU3AYQZPT4FUMERJH7RQ3KH3TMQDUI/

Status comment: (none) => Fixed upstream in 9.9p2 and patches available from Fedora and Debian
Source RPM: (none) => openssh-9.9p1-1.mga10.src.rpm, openssh-9.3p1-2.3.mga9.src.rpm
Whiteboard: (none) => MGA9TOO
CVE: (none) => CVE-2025-26465, CVE-2025-26466

Assigning globally, but CC'ing wally who seems normally to update openSSH.

CC: (none) => jani.valimaa
Assignee: bugsquad => pkg-bugs

CVE-2025-26466 only affects Cauldron because it affects OpenSSH versions 9.5p1 to 9.9p1.

Suggested advisory:
========================

The updated packages fix a security vulnerability:

Machine-in-the-middle attack if verifyhostkeydns is enabled. (CVE-2025-26465)

References:
https://openwall.com/lists/oss-security/2025/02/18/1
https://openwall.com/lists/oss-security/2025/02/18/4
https://lists.debian.org/debian-security-announce/2025/msg00030.html
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/STTU3AYQZPT4FUMERJH7RQ3KH3TMQDUI/
https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/GGMBNUMHNWAKKPCVKBQBXE7C4WSYOBAY/
https://ubuntu.com/security/notices/USN-7270-1
========================

Updated packages in core/updates_testing:
========================
openssh-9.3p1-2.4.mga9
openssh-askpass-common-9.3p1-2.4.mga9
openssh-askpass-gnome-9.3p1-2.4.mga9
openssh-clients-9.3p1-2.4.mga9
openssh-keycat-9.3p1-2.4.mga9
openssh-server-9.3p1-2.4.mga9

from SRPM:
openssh-9.3p1-2.4.mga9.src.rpm

Whiteboard: MGA9TOO => (none)
Version: Cauldron => 9
Assignee: pkg-bugs => qa-bugs
Status: NEW => ASSIGNED
Source RPM: openssh-9.9p1-1.mga10.src.rpm, openssh-9.3p1-2.3.mga9.src.rpm => openssh-9.3p1-2.3.mga9.src.rpm
Status comment: Fixed upstream in 9.9p2 and patches available from Fedora and Debian => (none)
CVE: CVE-2025-26465, CVE-2025-26466 => CVE-2025-26465

Installed and tested without issues.

Tested:
- several systems: laptop, workstation, server, VMs, containers;
- to/from other OSs (e.g. FreeBSD, Fedora, Android);
- as client and as server
- ssh shell;
- scp;
- rsync;
- sshfs;
- ansible;
- virsh;
- git;
- X11 forwarding;
- port forwarding;
- systemd socket activation;
- ssh-agent;
- ask password GUI;
- authentication using passwords (enabled just for testing) and keys.
All OK.



Multiple system: Mageia 9, x86_64.



$ uname -a
Linux jupiter 6.6.79-desktop-1.mga9 #1 SMP PREEMPT_DYNAMIC Fri Feb 21 17:45:39 UTC 2025 x86_64 GNU/Linux
$ rpm -qa | grep openssh
openssh-askpass-qt5-2.1.0-10.mga9
lxqt-openssh-askpass-1.4.0-1.mga9
openssh-9.3p1-2.4.mga9
openssh-clients-9.3p1-2.4.mga9
openssh-server-9.3p1-2.4.mga9
openssh-askpass-common-9.3p1-2.4.mga9

CC: (none) => mageia

RH x86_64

installing openssh-9.3p1-2.4.mga9.x86_64.rpm openssh-askpass-common-9.3p1-2.4.mga9.x86_64.rpm openssh-server-9.3p1-2.4.mga9.x86_64.rpm openssh-clients-9.3p1-2.4.mga9.x86_64.rpm openssh-askpass-gnome-9.3p1-2.4.mga9.x86_64.rpm from //home/katnatek/qa-testing/x86_64
Preparing...                     ##################################################################################################
      1/5: openssh               ##################################################################################################
      2/5: openssh-clients       ##################################################################################################
      3/5: openssh-askpass-common
                                 ##################################################################################################
      4/5: openssh-askpass-gnome ##################################################################################################
      5/5: openssh-server        ##################################################################################################
      1/5: removing openssh-askpass-gnome-9.3p1-2.3.mga9.x86_64
                                 ##################################################################################################
      2/5: removing openssh-server-9.3p1-2.3.mga9.x86_64
                                 ##################################################################################################
      3/5: removing openssh-askpass-common-9.3p1-2.3.mga9.x86_64
                                 ##################################################################################################
      4/5: removing openssh-clients-9.3p1-2.3.mga9.x86_64
                                 ##################################################################################################
      5/5: removing openssh-9.3p1-2.3.mga9.x86_64
                                 ##################################################################################################

systemctl restart sshd.service
 systemctl status sshd.service 
● sshd.service - OpenSSH server daemon
     Loaded: loaded (/usr/lib/systemd/system/sshd.service; enabled; preset: enabled)
     Active: active (running) since Tue 2025-02-25 19:23:44 CST; 19s ago
       Docs: man:sshd(8)
             man:sshd_config(5)
   Main PID: 40616 (sshd)
      Tasks: 1 (limit: 6877)
     Memory: 1.3M
        CPU: 47ms
     CGroup: /system.slice/sshd.service
             └─40616 "sshd: /usr/sbin/sshd -D [listener] 0 of 10-100 startups"

feb 25 19:23:44 jgrey.phoenix systemd[1]: Starting sshd.service...
feb 25 19:23:44 jgrey.phoenix sshd[40616]: Server listening on 192.168.1.3 port 22.
feb 25 19:23:44 jgrey.phoenix systemd[1]: Started sshd.service.

Connection from and to my system works

MGA9-64 Plasma Wayland on Compaq H000SB.
No installation issues.
Ref bug 33857 and earlier for testing.
# systemctl start sshd
# systemctl -l status sshd
● sshd.service - OpenSSH server daemon
     Loaded: loaded (/usr/lib/systemd/system/sshd.service; enabled; preset: enabled)
     Active: active (running) since Wed 2025-02-26 14:10:38 CET; 1min 47s ago
       Docs: man:sshd(8)
             man:sshd_config(5)
   Main PID: 14633 (sshd)
      Tasks: 1 (limit: 8806)
     Memory: 1.3M
        CPU: 141ms
     CGroup: /system.slice/sshd.service
             └─14633 "sshd: /usr/sbin/sshd -D [listener] 0 of 10-100 startups"

Feb 26 14:10:38 mach3.hviaene.thuis systemd[1]: Starting sshd.service...
Feb 26 14:10:38 mach3.hviaene.thuis sshd[14633]: Server listening on 0.0.0.0 port 22.
Feb 26 14:10:38 mach3.hviaene.thuis sshd[14633]: Server listening on :: port 22.
Feb 26 14:10:38 mach3.hviaene.thuis systemd[1]: Started sshd.service.

I can connect successfully to and from my desktop PC.
$ ssh -oHostKeyAlgorithms=+ssh-dss -oPubkeyAcceptedKeyTypes=+ssh-dss me@165.72.193.193
(me@165.72.193.193) Password: 

In view of this and other tests above, OK.

CC: (none) => herman.viaene
Whiteboard: (none) => MGA9-64-OK

Validating.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2025-0080.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED