Bug 2348367 (CVE-2025-22869)
| Summary: | CVE-2025-22869 golang.org/x/crypto/ssh: Denial of Service in the Key Exchange of golang.org/x/crypto/ssh | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | OSIDB Bzimport <bzimport> |
| Component: | vulnerability | Assignee: | Product Security DevOps Team <prodsec-dev> |
| Status: | NEW --- | QA Contact: | |
| Severity: | high | Docs Contact: | |
| Priority: | high | ||
| Version: | unspecified | CC: | alcohan, amctagga, anjoseph, bdettelb, bkabrda, crizzo, danken, dhanak, doconnor, dsimansk, dymurray, eglynn, fdeutsch, gkamathe, gparvin, jaharrin, jburrell, jeder, jforrest, jjoyce, jkoehler, jmatthew, jprabhak, jschluet, kingland, kverlaen, lball, lgamliel, lhh, lphiri, lsm5, lsvaty, manissin, matzew, mburns, mgarciac, mnovotny, ncarboni, ngough, njean, nobody, oramraz, owatkins, padillon, pahickey, pgrist, pierdipi, rfreiman, rguimara, rhaigner, rhuss, rjohnson, sausingh, sdawley, smullick, stirabos, teagle, thason, veshanka, whayutin, wtam |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | v0.35.0 | Doc Type: | If docs needed, set a value |
| Doc Text: |
A flaw was found in the golang.org/x/crypto/ssh package. SSH clients and servers are vulnerable to increased resource consumption, possibly leading to memory exhaustion and a DoS. This can occur during key exchange when the other party is slow to respond during key exchange.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | Type: | --- | |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 2348771, 2348772, 2350750, 2350751, 2350752, 2350753, 2350754, 2350757, 2350758, 2350759, 2350760, 2350761, 2350764, 2350765, 2350767, 2350806, 2350808, 2350809, 2350810, 2350811, 2350817, 2350819, 2350820, 2350821, 2350822, 2350823, 2350824, 2350825, 2350826, 2350827, 2350828, 2350830, 2350837, 2350838, 2350840, 2350841, 2350844, 2350845, 2350847, 2350749, 2350755, 2350756, 2350762, 2350763, 2350766, 2350768, 2350769, 2350770, 2350771, 2350772, 2350773, 2350774, 2350775, 2350776, 2350777, 2350778, 2350779, 2350780, 2350781, 2350782, 2350783, 2350784, 2350785, 2350786, 2350787, 2350788, 2350789, 2350790, 2350791, 2350792, 2350793, 2350794, 2350795, 2350796, 2350797, 2350798, 2350799, 2350800, 2350801, 2350802, 2350803, 2350804, 2350805, 2350807, 2350812, 2350813, 2350814, 2350815, 2350816, 2350818, 2350829, 2350831, 2350832, 2350833, 2350834, 2350835, 2350836, 2350839, 2350842, 2350843, 2350846, 2361094 | ||
| Bug Blocks: | |||
|
Description
OSIDB Bzimport
2025-02-26 04:01:10 UTC
Is there any info on what releases of x/crypto this is fixed in? I don't see anything relevant in here, Mitre, NVD or even the actual change page on googlesource. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-22869 https://nvd.nist.gov/vuln/detail/CVE-2025-22869 https://go-review.googlesource.com/c/crypto/+/652135 Based on https://pkg.go.dev/vuln/GO-2025-3487 it looks like this has been fixed in versions v0.35.0 and later This issue has been addressed in the following products: gatekeeper 3.17 for RHEL 9 Via RHSA-2025:3051 https://access.redhat.com/errata/RHSA-2025:3051 This issue has been addressed in the following products: gatekeeper 3.18 for RHEL 9 Via RHSA-2025:3052 https://access.redhat.com/errata/RHSA-2025:3052 This issue has been addressed in the following products: gatekeeper 3.15 for RHEL 9 Via RHSA-2025:3053 https://access.redhat.com/errata/RHSA-2025:3053 This issue has been addressed in the following products: Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions Via RHSA-2025:3165 https://access.redhat.com/errata/RHSA-2025:3165 This issue has been addressed in the following products: Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions Red Hat Enterprise Linux 8.6 Telecommunications Update Service Via RHSA-2025:3175 https://access.redhat.com/errata/RHSA-2025:3175 This issue has been addressed in the following products: Red Hat Advanced Cluster Management for Kubernetes 2.13 for RHEL 9 Via RHSA-2025:3172 https://access.redhat.com/errata/RHSA-2025:3172 This issue has been addressed in the following products: Red Hat Enterprise Linux 9.2 Extended Update Support Via RHSA-2025:3184 https://access.redhat.com/errata/RHSA-2025:3184 This issue has been addressed in the following products: Red Hat Enterprise Linux 9.4 Extended Update Support Via RHSA-2025:3185 https://access.redhat.com/errata/RHSA-2025:3185 This issue has been addressed in the following products: Red Hat Enterprise Linux 9.4 Extended Update Support Via RHSA-2025:3186 https://access.redhat.com/errata/RHSA-2025:3186 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2025:3210 https://access.redhat.com/errata/RHSA-2025:3210 This issue has been addressed in the following products: Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions Red Hat Enterprise Linux 8.4 Telecommunications Update Service Via RHSA-2025:3266 https://access.redhat.com/errata/RHSA-2025:3266 This issue has been addressed in the following products: Red Hat Enterprise Linux 8.8 Extended Update Support Via RHSA-2025:3268 https://access.redhat.com/errata/RHSA-2025:3268 This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2025:3336 https://access.redhat.com/errata/RHSA-2025:3336 This issue has been addressed in the following products: multicluster-globalhub 1.2 for RHEL 9 Via RHSA-2025:3498 https://access.redhat.com/errata/RHSA-2025:3498 This issue has been addressed in the following products: Red Hat Advanced Cluster Management for Kubernetes 2.13 for RHEL 8 Red Hat Advanced Cluster Management for Kubernetes 2.13 for RHEL 9 Via RHSA-2025:3685 https://access.redhat.com/errata/RHSA-2025:3685 This issue has been addressed in the following products: Red Hat Advanced Cluster Management for Kubernetes 2.13 for RHEL 9 Via RHSA-2025:3763 https://access.redhat.com/errata/RHSA-2025:3763 This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2025:3833 https://access.redhat.com/errata/RHSA-2025:3833 This issue has been addressed in the following products: multicluster-globalhub 1.3 for RHEL 9 Via RHSA-2025:3863 https://access.redhat.com/errata/RHSA-2025:3863 This issue has been addressed in the following products: Red Hat OpenShift Dev Spaces 3 Containers Via RHSA-2025:3932 https://access.redhat.com/errata/RHSA-2025:3932 This issue has been addressed in the following products: Red Hat Advanced Cluster Management for Kubernetes 2.12 for RHEL 9 Via RHSA-2025:3959 https://access.redhat.com/errata/RHSA-2025:3959 This issue has been addressed in the following products: Red Hat Advanced Cluster Management for Kubernetes 2.12 for RHEL 9 Via RHSA-2025:4002 https://access.redhat.com/errata/RHSA-2025:4002 This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.17 Via RHSA-2025:4012 https://access.redhat.com/errata/RHSA-2025:4012 This issue has been addressed in the following products: Red Hat Advanced Cluster Management for Kubernetes 2.10 for RHEL 9 Via RHSA-2025:4502 https://access.redhat.com/errata/RHSA-2025:4502 This issue has been addressed in the following products: RHODF-4.18-RHEL-9 Via RHSA-2025:4511 https://access.redhat.com/errata/RHSA-2025:4511 This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2025:7391 https://access.redhat.com/errata/RHSA-2025:7391 This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2025:7416 https://access.redhat.com/errata/RHSA-2025:7416 This issue has been addressed in the following products: Red Hat Enterprise Linux 10 Via RHSA-2025:7462 https://access.redhat.com/errata/RHSA-2025:7462 This issue has been addressed in the following products: Red Hat Enterprise Linux 10 Via RHSA-2025:7484 https://access.redhat.com/errata/RHSA-2025:7484 This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.15 Via RHSA-2025:7698 https://access.redhat.com/errata/RHSA-2025:7698 This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.14 Via RHSA-2025:7702 https://access.redhat.com/errata/RHSA-2025:7702 This issue has been addressed in the following products: Red Hat OpenShift Dev Spaces 3 Containers Via RHSA-2025:8244 https://access.redhat.com/errata/RHSA-2025:8244 |