Earlier this week Qualys announced two critical vulnerabilities for OpenSSH - CVE-2025-26465 and 2025-26466. We are looking for helping testing the patches for CVE-2025-26465.
The Qualys Threat Research Unit (TRU) has identified two vulnerabilities in OpenSSH. The first, tracked as CVE-2025-26465, allows an active machine-in-the-middle attack on the OpenSSH client when the VerifyHostKeyDNS option is enabled. The second, CVE-2025-26466, affects both the OpenSSH client and server, enabling a pre-authentication denial-of-service attack.
Neither RHEL nor AlmaLinux is impacted by CVE-2025-26466 in any way.
However, both AlmaLinux 8 and 9 are impacted by CVE-2025-26465. While it is not yet patched in RHEL 9, and is considered out of scope for RHEL 8, some of our users are asking us to patch this for their own security. As a result, we have pulled in the upstream patches and are asking users to test the updates.
Installing the patched versions of OpenSSH on AlmaLinux
It only takes a few steps to install and test the patched version of OpenSSH in the testing repo.
Install the testing repo
dnf install -y almalinux-release-testing
Then update openssh:
dnf update openssh
Confirm you have the patched version of OpenSSH
rpm -qa openssh
You should see a version matching or higher than the ones below, depending on when you do the installation of the patches.
- AlmaLinux 8 -
openssh-8.0p1-25.el8_10.alma.1 - AlmaLinux 9 -
openssh-8.7p1-43.el9.alma.1
Note: We don’t recommend that you keep the testing repo enabled after you’ve updated OpenSSH, unless you’ve done this on a truly non-production environment. If this is a production environment, you can disable the repo with this command:
dnf config-manager --disable almalinux-testing
If you encounter problems, please let us know as soon as you can, either in AlmaLinux chat, on bugs.almalinux.org, or by emailing packager@almalinux.org.
Thanks to our community
Security is a priority at AlmaLinux, and once again we’re patching something we know to be important to our community. This is part of the freedom that comes with being a community-powered Red Hat equivalent operating system. We appreciate the members of our community that reported their feelings about this and other updates, worked to fix the problems, and have ever participated in testing our security updates.
If you have any interest in helping us test updates like this in the future, join our chat, join our forums, and keep your eyes open! We’ll be looking for contributions to our OpenQA testing later this year, too!
