------------------------------------------------------------------------- Debian LTS Advisory DLA-4057-1 debian-lts@lists.debian.org https://www.debian.org/lts/security/ Colin Watson February 18, 2025 https://wiki.debian.org/LTS ------------------------------------------------------------------------- Package : openssh Version : 1:8.4p1-5+deb11u4 CVE ID : CVE-2025-26465 The Qualys Threat Research Unit (TRU) discovered that the OpenSSH client is vulnerable to a machine-in-the-middle attack if the VerifyHostKeyDNS option is enabled (disabled by default). Details can be found in the Qualys advisory at https://www.qualys.com/2025/02/18/openssh-mitm-dos.txt For Debian 11 bullseye, this problem has been fixed in version 1:8.4p1-5+deb11u4. We recommend that you upgrade your openssh packages. For the detailed security status of openssh please refer to its security tracker page at: https://security-tracker.debian.org/tracker/openssh Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS
Attachment:
signature.asc
Description: PGP signature