diff --git a/openssh-7.7p1-fips.patch b/openssh-7.7p1-fips.patch index 0cbd22f..3a80074 100644 --- a/openssh-7.7p1-fips.patch +++ b/openssh-7.7p1-fips.patch @@ -116,17 +116,18 @@ diff -up openssh-7.9p1/kexgexc.c.fips openssh-7.9p1/kexgexc.c #include #include -@@ -118,6 +119,10 @@ input_kex_dh_gex_group(int type, u_int32 - r = SSH_ERR_ALLOC_FAIL; - goto out; +@@ -115,6 +116,11 @@ input_kex_dh_gex_group(int type, u_int32 } + p = g = NULL; /* belong to kex->dh now */ + + if (FIPS_mode() && dh_is_known_group(kex->dh) == 0) { + r = SSH_ERR_INVALID_ARGUMENT; + goto out; + } - p = g = NULL; /* belong to kex->dh now */ - ++ /* generate and send 'e', client DH public key */ + if ((r = dh_gen_key(kex->dh, kex->we_need * 8)) != 0) + goto out; diff -up openssh-7.9p1/myproposal.h.fips openssh-7.9p1/myproposal.h --- openssh-7.9p1/myproposal.h.fips 2018-10-17 02:01:20.000000000 +0200 +++ openssh-7.9p1/myproposal.h 2019-03-11 17:06:37.621878041 +0100 diff --git a/openssh.spec b/openssh.spec index 4441f58..e5197d9 100644 --- a/openssh.spec +++ b/openssh.spec @@ -66,7 +66,7 @@ # Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1 %global openssh_ver 8.0p1 -%global openssh_rel 29 +%global openssh_rel 30 %global pam_ssh_agent_ver 0.10.3 %global pam_ssh_agent_rel 7 @@ -854,6 +854,11 @@ getent passwd sshd >/dev/null || \ %endif %changelog +* Mon Jun 29 2026 Zoltan Fridrich - 8.0p1-30 +- CVE-2026-55653: Fix double free in openssh DH-GEX client path during + FIPS known-group validation that leads to client-side denial of service + Resolves: RHEL-185775 + * Mon Apr 13 2026 Zoltan Fridrich - 8.0p1-29 - CVE-2026-35385: Fix privilege escalation via scp legacy protocol when not in preserving file mode