diff --git a/openssh-7.7p1-fips.patch b/openssh-7.7p1-fips.patch index 9f83eee..7ad6b1a 100644 --- a/openssh-7.7p1-fips.patch +++ b/openssh-7.7p1-fips.patch @@ -106,17 +106,18 @@ diff -up openssh-8.6p1/kexgexc.c.fips openssh-8.6p1/kexgexc.c #include #include -@@ -115,6 +116,10 @@ input_kex_dh_gex_group(int type, u_int32 - r = SSH_ERR_ALLOC_FAIL; - goto out; +@@ -117,6 +118,11 @@ input_kex_dh_gex_group(int type, u_int32 } + p = g = NULL; /* belong to kex->dh now */ + + if (FIPS_mode() && dh_is_known_group(kex->dh) == 0) { + r = SSH_ERR_INVALID_ARGUMENT; + goto out; + } - p = g = NULL; /* belong to kex->dh now */ - ++ /* generate and send 'e', client DH public key */ + if ((r = dh_gen_key(kex->dh, kex->we_need * 8)) != 0) + goto out; diff -up openssh-8.6p1/myproposal.h.fips openssh-8.6p1/myproposal.h --- openssh-8.6p1/myproposal.h.fips 2021-04-16 05:55:25.000000000 +0200 +++ openssh-8.6p1/myproposal.h 2021-05-06 12:08:36.498926877 +0200 diff --git a/openssh.spec b/openssh.spec index 1f09465..c4a9bab 100644 --- a/openssh.spec +++ b/openssh.spec @@ -47,7 +47,7 @@ # Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1 %global openssh_ver 9.9p1 -%global openssh_rel 8 +%global openssh_rel 9 %global pam_ssh_agent_ver 0.10.4 %global pam_ssh_agent_rel 9 @@ -772,6 +772,11 @@ test -f %{sysconfig_anaconda} && \ %endif %changelog +* Fri Jun 26 2026 Zoltan Fridrich - 9.9p1-9 +- CVE-2026-55653: Fix double free in openssh DH-GEX client path during + FIPS known-group validation that leads to client-side denial of service + Resolves: RHEL-186440 + * Wed Apr 01 2026 Zoltan Fridrich - 9.9p1-8 - Fix static analysis issues Resolves: RHEL-163366