Zimbalwa izinsuku ezedlule, UDamien Miller (omunye wabathuthukisi be-OpenSSH), wazise, ngohlu lwamakheli, i Ukukhishwa kwesondlo kwe-OpenSSH 9.9p2 lokho ilungisa ubungozi obubili etholwe yi-Qualys, engasetshenziselwa ukuhlasela kwe-Man-in-the-Middle (MITM).
Kuyashiwo ukuthi lamaphutha ivumele umhlaseli ukuthi avimbe ukuxhumana kwe-SSH futhi ukhohlise iklayenti ukuthi lamukele ukhiye weseva enonya esikhundleni sokhiye osemthethweni weseva eqondiwe.
I-CVE-2025-26465: Ukudlula ukhiye wokuqinisekisa we-SSH
Owokuqala kobungozi obulungisiwe ekukhishweni kwale nguqulo yokulungisa yi-CVE-2025-26465. Lokhu kuba sengozini kungenxa yephutha eliphusile ohlelweni lwe-ssh, okuvumela umhlaseli ukuthi adlule ukuqinisekiswa kokhiye weseva futhi asebenzise ngempumelelo ukuhlasela kwe-MITM.
Uma iklayenti lizama ukuxhuma kuseva ye-SSH, Umhlaseli angaqondisa kabusha ithrafikhi kuseva mbumbulu futhi ibangele iklayenti ukuthi lamukele ukhiye ongalungile ngaphandle kwesixwayiso, ikholelwa ukuthi ixhunywe kuseva esemthethweni.
Ngaphezu kwalokhu, lobu sengozini:
- Ikhona ku-OpenSSH kusukela kunguqulo 6.8p1 (Disemba 2014).
- Kucushwe uma inketho ye-VerifyHostKeyDNS inikwe amandla.
- Ekucushweni kwesisekelo se-OpenSSH, le nketho ikhutshaziwe ngokuzenzakalela, kodwa ku-FreeBSD inikwe amandla kuze kube uMashi 2023.
Ngokuqondene nezimbangela okubangela lokhu kwehluleka, kukhulunywa ngakho Lokhu kungenxa yokuthi umsebenzi we-verify_host_key_callback() ubiza verify_host_key(), kodwa ihlola kuphela uma ikhodi yephutha ebuyisiwe ithi -1, ishaya indiva amanye amakhodi amaphutha afana no -2. Nini verify_host_key() ibuyisela -2 lapho inkumbulo enganele, kodwa ngenxa yokukhishwa kwekhodi yephutha, Isistimu ithatha ngephutha ukuthi ukhiye womsingathi uqinisekisiwe kahle.
Umhlaseli angakwazi kanjalo ukuxhaphaza leli phutha ngokudala iseva ye-SSH mbumbulu ethumela ukhiye omkhulu wokusingatha (256 KB), okubangela ukusetshenziswa kwememori okweqile eklayentini futhi icuphe isimo sephutha elingabanjwanga.
I-CVE-2025-26466: Ukuvuza kwenkumbulo nokusetshenziswa ngokweqile kwe-CPU ku-SSH
Ukuba sengozini kwesibili okulungisiwe yi-CVE-2025-26466 kanye nalobu bungozi. ithinta kokubili iklayenti le-ssh kanye neseva ye-sshd, kusukela ivumela ukuqeda inkumbulo yenqubo futhi ukhiqize umthwalo ophezulu we-CPU ngokuthumela ngokuphindaphindiwe amaphakethe we-SSH2_MSG_PING.
Umthelela omkhulu walokhu kuba sengcupheni useqinisweni lokuthi Ingaxhashazwa ngaphandle kokuqinisekisa futhi ithinta i-OpenSSH kusukela kunguqulo 9.5p1 (Agasti 2023). Ngaphezu kwalokho, ivumela umhlaseli ukuthi adle izinsiza zesistimu, alulaze ukusebenza futhi abangele ngisho nokuphika isevisi (DoS).
Mayelana nezimbangela ezidala lokhu kwehluleka, kubalwa ukuthi kungenxa yokuthi Iphakethe ngalinye elingenayo le-2-byte SSH16_MSG_PING libangela ukuba kunikezwe ibhafa engu-256-byte enkumbulweni. Lesi sibhafa asikhululwa kuze kuqedwe isivumelwano esibalulekile, okuholela ekuvuzeni kwememori lapho kuthunyelwa amaphakethe amaningi e-PING.
Ukunciphisa kanye nesixazululo
Njengendlela yokulungisa, Kunconywa ukusetha imikhawulo ku-sshd_config usebenzisa lezi ziqondiso ezilandelayo:
- LoginGraceTime: Lokhu kukhawulela isikhathi sokuvala sokuqinisekisa.
- I-MaxStartups: ikhawulela inombolo yokuxhumana okungagunyaziwe.
- PerSourcePenalties: isebenza izinhlawulo kumaklayenti akhiqiza imizamo eminingi yokuxhumana.
Ngokuqondene ne izixazululo, Esokuqala nesinconyiwe kakhulu thuthukisa i-OpenSSH ibe yinguqulo ekhishiwe, “9.9p2” ngokushesha ngangokunokwenzeka ukulungisa lobu buthakathaka. Kodwa uma ukuthuthukiswa okusheshayo kungenzeki, izinyathelo zokunciphisa ezishiwo ngenhla kufanele zisetshenziswe. Ukwengeza, kuyanconywa ukukhubaza i-VerifyHostKeyDNS ngaphandle kwalapho kusetshenziswa izindlela ezithembekile zokuqinisekisa i-DNSSEC.
Uma unjalo unentshisekelo yokwazi okwengeziwe ngayo, ungabheka imininingwane ku- isixhumanisi esilandelayo.
Ungayifaka kanjani i-OpenSSH ku-Linux?
Kulabo abanentshisekelo yokukwazi ukufaka le nguqulo entsha ye-OpenSSH kumasistimu abo, ngoba manje sebengakwenza ukulanda ikhodi yomthombo yalokhu futhi benza ukuhlanganiswa kumakhompyutha abo.
Lokhu kungenxa yokuthi inguqulo entsha ayikakafakwa ezinqolobaneni zokusabalalisa okukhulu kwe-Linux. Ukuthola ikhodi yomthombo, ungenza kusuka ku- isixhumanisi esilandelayo.
Uqedile ukulanda, manje sizovula iphakheji ngomyalo olandelayo:
tar -xvf openssh-9.9p2.tar.gz
Sifaka umkhombandlela owakhiwe:
cd openssh-9.9p2
Y singahlanganisa imiyalo elandelayo:
./configure --prefix = / opt --sysconfdir = / etc / ssh yenza ukufaka