The OpenSSH client is vulnerable to an active machine-in-the-middle attack if the VerifyHostKeyDNS option is enabled (it is disabled by default): when a vulnerable client connects to a server, an active machine-in-the-middle can impersonate the server by completely bypassing the client's checks of the server's identity.
Making it Public as https://seclists.org/oss-sec/2025/q1/144
I am reading that correctly on https://access.redhat.com/security/cve/CVE-2025-26465 -- there is no fix planned for rhel8 because it's a non-default config+moderate rating?
Regarding the CVE link mentioned below, the OpenSSH client must have the VerifyHostKeyDNS option enabled, which is disabled by default in Red Hat Enterprise Linux (RHEL). https://access.redhat.com/security/cve/CVE-2025-26465#cve-affected-packages Products / Services Components State Errata Release Date ``` Red Hat Enterprise Linux 9 openssh Affected Red Hat OpenShift Container Platform 4 rhcos Fix deferred If ` VerifyHostKeyDNS` option is disabled in RHEL 9, then why it's `affected` state. Is there any timeline to fix this in RHCOS?
Customer is looking for update on my previous comment. Kindly assist. Thanks!
This issue has been addressed in the following products: Red Hat Enterprise Linux 9.4 Extended Update Support Via RHSA-2025:3837 https://access.redhat.com/errata/RHSA-2025:3837