Bug 34224 - openssh new security issue CVE-2025-32728
Summary: openssh new security issue CVE-2025-32728
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 9
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA9-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2025-04-25 16:23 CEST by Nicolas Salguero
Modified: 2025-05-16 21:45 CEST (History)
6 users (show)

See Also:
Source RPM: openssh-9.3p1-2.4.mga9.src.rpm
CVE: CVE-2025-32728
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Nicolas Salguero 2025-04-25 16:23:41 CEST 
Ubuntu has issued an advisory on April 24:
https://ubuntu.com/security/notices/USN-7457-1
Comment 1 Nicolas Salguero 2025-04-25 16:25:03 CEST 
Fixed by: https://github.com/openssh/openssh-portable/commit/fc86875e6acb36401dfc1dfb6b628a9d1460f367 (V_10_0_P1)

CVE: (none) => CVE-2025-32728
Source RPM: (none) => openssh-9.9p2-1.mga10.src.rpm, openssh-9.3p1-2.4.mga9.src.rpm
Status comment: (none) => Fixed upstream in 10.0p1 and patch available from upstream
Whiteboard: (none) => MGA9TOO

Comment 2 Lewis Smith 2025-04-27 21:22:52 CEST 
Unsure where to put this, so assigning globally.
It is possible NicolasS wlll do it (he did the last CVE update).

Assignee: bugsquad => pkg-bugs

Comment 3 Nicolas Salguero 2025-04-29 14:39:01 CEST 
Suggested advisory:
========================

The updated packages fix a security vulnerability:

In sshd in OpenSSH before 10.0, the DisableForwarding directive does not adhere to the documentation stating that it disables X11 and agent forwarding. (CVE-2025-32728)

References:
https://ubuntu.com/security/notices/USN-7457-1
========================

Updated packages in core/updates_testing:
========================
openssh-9.3p1-2.5.mga9
openssh-askpass-common-9.3p1-2.5.mga9
openssh-askpass-gnome-9.3p1-2.5.mga9
openssh-clients-9.3p1-2.5.mga9
openssh-keycat-9.3p1-2.5.mga9
openssh-server-9.3p1-2.5.mga9

from SRPM:
openssh-9.3p1-2.5.mga9.src.rpm

Whiteboard: MGA9TOO => (none)
Status: NEW => ASSIGNED
Status comment: Fixed upstream in 10.0p1 and patch available from upstream => (none)
Version: Cauldron => 9
Source RPM: openssh-9.9p2-1.mga10.src.rpm, openssh-9.3p1-2.4.mga9.src.rpm => openssh-9.3p1-2.4.mga9.src.rpm
Assignee: pkg-bugs => qa-bugs

PC LX 2025-04-29 17:17:14 CEST

CC: (none) => mageia

katnatek 2025-04-29 19:39:03 CEST

Keywords: (none) => advisory

Comment 4 katnatek 2025-05-01 05:27:00 CEST 
I not see DisableForwarding

-o option
    Can be used to give options in the format used in the configuration file. This is useful for specifying options for which there is no separate command-line flag. For full details of the options listed below, and their possible values, see ssh_config5.

    AddKeysToAgent
    AddressFamily
    BatchMode
    BindAddress
    BindInterface
    CanonicalDomains
    CanonicalizeFallbackLocal
    CanonicalizeHostname
    CanonicalizeMaxDots
    CanonicalizePermittedCNAMEs
    CASignatureAlgorithms
    CertificateFile
    CheckHostIP
    Ciphers
    ClearAllForwardings
    Compression
    ConnectionAttempts
    ConnectTimeout
    ControlMaster
    ControlPath
    ControlPersist
    DynamicForward
    EnableSSHKeysign
    EnableEscapeCommandline
    EscapeChar
    ExitOnForwardFailure
    FingerprintHash
    ForkAfterAuthentication
    ForwardAgent
    ForwardX11
    ForwardX11Timeout
    ForwardX11Trusted
    GatewayPorts
    GlobalKnownHostsFile
    GSSAPIAuthentication
    GSSAPIKeyExchange
    GSSAPIClientIdentity
    GSSAPIDelegateCredentials
    GSSAPIKexAlgorithms
    GSSAPIRenewalForcesRekey
    GSSAPIServerIdentity
    GSSAPITrustDns
    HashKnownHosts
    Host
    HostbasedAcceptedAlgorithms
    HostbasedAuthentication
    HostKeyAlgorithms
    HostKeyAlias
    Hostname
    IdentitiesOnly
    IdentityAgent
    IdentityFile
    IgnoreUnknown
    Include
    IPQoS
    KbdInteractiveAuthentication
    KbdInteractiveDevices
    KexAlgorithms
    KnownHostsCommand
    LocalCommand
    LocalForward
    LogLevel
    LogVerbose
    MACs
    Match
    NoHostAuthenticationForLocalhost
    NumberOfPasswordPrompts
    PasswordAuthentication
    PermitLocalCommand
    PermitRemoteOpen
    PKCS11Provider
    Port
    PreferredAuthentications
    ProxyCommand
    ProxyJump
    ProxyUseFdpass
    PubkeyAcceptedAlgorithms
    PubkeyAuthentication
    RekeyLimit
    RemoteCommand
    RemoteForward
    RequestTTY
    RevokedHostKeys
    SecurityKeyProvider
    RequiredRSASize
    SendEnv
    ServerAliveInterval
    ServerAliveCountMax
    SessionType
    SetEnv
    StdinNull
    StreamLocalBindMask
    StreamLocalBindUnlink
    StrictHostKeyChecking
    SyslogFacility
    TCPKeepAlive
    Tunnel
    TunnelDevice
    UpdateHostKeys
    User
    UserKnownHostsFile
    VerifyHostKeyDNS
    VisualHostKey
    XAuthLocation 

And the options to not forward x11 available -o ForwardX11=no or -x look like works
This issue really affects our version ?
Comment 5 Herman Viaene 2025-05-01 12:09:24 CEST 
MGA9-64 Plasma Wayland on Compaq H000SB
No installation issues
# systemctl start sshd
# systemctl -l status sshd
● sshd.service - OpenSSH server daemon
     Loaded: loaded (/usr/lib/systemd/system/sshd.service; enabled; preset: enabled)
     Active: active (running) since Thu 2025-05-01 11:23:47 CEST; 6s ago
       Docs: man:sshd(8)
             man:sshd_config(5)
   Main PID: 10556 (sshd)
      Tasks: 1 (limit: 8806)
     Memory: 1.3M
        CPU: 141ms
     CGroup: /system.slice/sshd.service
             └─10556 "sshd: /usr/sbin/sshd -D [listener] 0 of 10-100 startups"

May 01 11:23:47 mach3.hviaene.thuis systemd[1]: Starting sshd.service...
May 01 11:23:47 mach3.hviaene.thuis sshd[10556]: Server listening on 0.0.0.0 port 22.
May 01 11:23:47 mach3.hviaene.thuis sshd[10556]: Server listening on :: port 22.
May 01 11:23:47 mach3.hviaene.thuis systemd[1]: Started sshd.service.

$ ssh -oHostKeyAlgorithms=+ssh-dss -oPubkeyAcceptedKeyTypes=+ssh-dss me@165.72.193.193
(me@165.72.193.193) Password: 
seems to work.
Generated key and could connect to and from my desktop PC.
AFAICS it works OK.

CC: (none) => herman.viaene

Comment 6 katnatek 2025-05-02 20:20:10 CEST 
RH x86_64

installing openssh-clients-9.3p1-2.5.mga9.x86_64.rpm openssh-server-9.3p1-2.5.mga9.x86_64.rpm openssh-askpass-gnome-9.3p1-2.5.mga9.x86_64.rpm openssh-askpass-common-9.3p1-2.5.mga9.x86_64.rpm openssh-9.3p1-2.5.mga9.x86_64.rpm from //home/katnatek/qa-testing/x86_64
Preparing...                     ##################################################################################################
      1/5: openssh               ##################################################################################################
      2/5: openssh-clients       ##################################################################################################
      3/5: openssh-askpass-common
                                 ##################################################################################################
      4/5: openssh-askpass-gnome ##################################################################################################
      5/5: openssh-server        ##################################################################################################

      1/5: removing openssh-askpass-gnome-9.3p1-2.4.mga9.x86_64
                                 ##################################################################################################
      2/5: removing openssh-server-9.3p1-2.4.mga9.x86_64
                                 ##################################################################################################
      3/5: removing openssh-askpass-common-9.3p1-2.4.mga9.x86_64
                                 ##################################################################################################
      4/5: removing openssh-clients-9.3p1-2.4.mga9.x86_64
                                 ##################################################################################################
      5/5: removing openssh-9.3p1-2.4.mga9.x86_64
                                 ##################################################################################################

Still not see DisableForwarding in ssh options

systemctl restart sshd
systemctl -l status sshd
● sshd.service - OpenSSH server daemon
     Loaded: loaded (/usr/lib/systemd/system/sshd.service; enabled; preset: enabled)
     Active: active (running) since Fri 2025-05-02 12:13:38 CST; 27s ago
       Docs: man:sshd(8)
             man:sshd_config(5)
   Main PID: 39900 (sshd)
      Tasks: 1 (limit: 6903)
     Memory: 1.4M
        CPU: 41ms
     CGroup: /system.slice/sshd.service
             └─39900 "sshd: /usr/sbin/sshd -D [listener] 0 of 10-100 startups"

may 02 12:13:38 jgrey.phoenix systemd[1]: Starting sshd.service...
may 02 12:13:38 jgrey.phoenix sshd[39900]: Server listening on 192.168.1.3 port 22.
may 02 12:13:38 jgrey.phoenix systemd[1]: Started sshd.service.

Umount and mount sshfs mount points
Conect to other servers
Conect from external server to my server 

OK as long as not produce side effects , but I still not sure if is something to fix in mageia

CC: (none) => andrewsfarm

Comment 7 PC LX 2025-05-05 11:15:06 CEST 
Installed and tested without issues.

Tested for 3 days on multiple machines and VMs, as client and server, without issues.
Tested systems' architectures are x86_64 (Intel and AMD) and ARM arch64.
Tested systemd socket activated,  port forwarding, X11 forwarding, key authentication, proxy SOCKS5, etc.



$ uname -a
Linux jupiter 6.6.88-desktop-3.mga9 #1 SMP PREEMPT_DYNAMIC Sat Apr 26 22:17:20 UTC 2025 x86_64 GNU/Linux
$ rpm -qa | grep openssh | sort
lxqt-openssh-askpass-1.4.0-1.mga9
openssh-9.3p1-2.5.mga9
openssh-askpass-common-9.3p1-2.5.mga9
openssh-askpass-qt5-2.1.0-10.mga9
openssh-clients-9.3p1-2.5.mga9
openssh-server-9.3p1-2.5.mga9
$ systemctl status sshd.socket
● sshd.socket - OpenSSH Server Socket
     Loaded: loaded (/etc/systemd/system/sshd.socket; enabled; preset: disabled)
     Active: active (listening) since Mon 2025-05-05 09:38:45 WEST; 31min ago
       Docs: man:sshd(8)
             man:sshd_config(5)
     Listen: [::]:22222 (Stream)
   Accepted: 0; Connected: 0;
      Tasks: 0 (limit: 37587)
     Memory: 8.0K
        CPU: 464us
     CGroup: /system.slice/sshd.socket

Warning: some journal files were not opened due to insufficient permissions.
Comment 8 Brian Rockwell 2025-05-12 19:04:52 CEST 
MGA9-x86, Xfce


The following 2 packages are going to be installed:

- openssh-9.3p1-2.5.mga9.x86_64
- openssh-clients-9.3p1-2.5.mga9.x86_64

56B of additional disk space will be used.

--

ssh'd into a server - no issues
used various functions all worked

CC: (none) => brtians1

Comment 9 Dan Fandrich 2025-05-13 03:18:48 CEST 
I've been using this for a few days on x86_64 without issue.

CC: (none) => dan

katnatek 2025-05-14 06:01:03 CEST

Whiteboard: (none) => MGA9-64-OK

Comment 10 Thomas Andrews 2025-05-15 04:31:03 CEST 
Validating.

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 11 Mageia Robot 2025-05-16 21:45:37 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2025-0157.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED
Note You need to log in before you can comment on or make changes to this bug.