thr3ads.net - openssh bugs - [Bug 3800] New: OpenSSH 9.9p2 Minor Version Detection Issue in Qualys/Tenable for CVE-2025-26465 & CVE-2025-26466 [Mar 2025]

If this information is useful, please help other people find it:
Share via:

bugzilla-daemon at mindrot.org

2025-Mar-10 09:45 UTC

[Bug 3800] New: OpenSSH 9.9p2 Minor Version Detection Issue in Qualys/Tenable for CVE-2025-26465 & CVE-2025-26466

https://bugzilla.mindrot.org/show_bug.cgi?id=3800

            Bug ID: 3800
           Summary: OpenSSH 9.9p2 Minor Version Detection Issue in
                    Qualys/Tenable for CVE-2025-26465 & CVE-2025-26466
           Product: Portable OpenSSH
           Version: 9.9p2
          Hardware: All
                OS: Linux
            Status: NEW
          Severity: enhancement
          Priority: P5
         Component: sshd
          Assignee: unassigned-bugs at mindrot.org
          Reporter: suryalegend89 at gmail.com

Dear OpenSSH Team,

I recently upgraded OpenSSH to version 9.9p2 to address CVE-2025-26465
and CVE-2025-26466. When I run ssh -V, it correctly displays
OpenSSH_9.9p2.

However, when performing a vulnerability scan using Qualys or Tenable,
the reported SSH version appears as 9.9 (without the patch version),
leading to a false positive for these CVEs.

Could you please confirm if this is expected behavior? Additionally, is
there a recommended way to ensure that vulnerability scanners correctly
detect the full OpenSSH version, including the patch level?

Thank you for your time and assistance.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

bugzilla-daemon at mindrot.org

2025-Mar-10 09:46 UTC

head link

[Bug 3800] OpenSSH 9.9p2 Minor Version Detection Issue in Qualys/Tenable for CVE-2025-26465 & CVE-2025-26466

https://bugzilla.mindrot.org/show_bug.cgi?id=3800

suryalegend89 <suryalegend89 at gmail.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |suryalegend89 at gmail.com

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

bugzilla-daemon at mindrot.org

2025-Mar-10 12:09 UTC

head link

[Bug 3800] OpenSSH 9.9p2 Minor Version Detection Issue in Qualys/Tenable for CVE-2025-26465 & CVE-2025-26466

https://bugzilla.mindrot.org/show_bug.cgi?id=3800

suryalegend89 <suryalegend89 at gmail.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
           Priority|P5                          |P2
           Severity|enhancement                 |security

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

bugzilla-daemon at mindrot.org

2025-Mar-10 23:36 UTC

head link

[Bug 3800] OpenSSH 9.9p2 Minor Version Detection Issue in Qualys/Tenable for CVE-2025-26465 & CVE-2025-26466

https://bugzilla.mindrot.org/show_bug.cgi?id=3800

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
           Severity|security                    |minor
             Status|NEW                         |RESOLVED
         Resolution|---                         |WONTFIX
                 CC|                            |djm at mindrot.org

--- Comment #1 from Damien Miller <djm at mindrot.org> ---
The patch version is intentionally not shown. If you want to put
additional version information in the banner string you can use the
existing VersionAddendum option in sshd_config.

Opinion: vulnerability scanners should look for vulnerabilities and not
blindly check version strings.

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.

bugzilla-daemon at mindrot.org

2025-Mar-11 09:58 UTC

head link

[Bug 3800] OpenSSH 9.9p2 Minor Version Detection Issue in Qualys/Tenable for CVE-2025-26465 & CVE-2025-26466

https://bugzilla.mindrot.org/show_bug.cgi?id=3800

--- Comment #2 from suryalegend89 <suryalegend89 at gmail.com> ---
Hi Damien Miller ,

Thank you for your response.

I am seeking clarification on how OpenSSH reports its software version.
As per the RFC Protocol Version Exchange, the identification string
format is:

        SSH-protoversion-softwareversion SP comments CR LF

However, VersionAddendum appends the minor version in the comments
rather than including it in the software version itself. For example:

        SSH-2.0-OpenSSH_9.9 p2 <CR><LF>

This suggests that the minor version (p2) is not part of the software
version but is instead added as a comment.
For cross-verification, I tested on Ubuntu, and it includes the minor
version in the software version string:

        SSH-2.0-OpenSSH_8.9p1 Ubuntu-3ubuntu0.11

Is there a specific reason why OpenSSH omits the minor version from the
software version field?

Any insights would be greatly appreciated!

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

openssh bugs - Mar 2025 - [Bug 3800] New: OpenSSH 9.9p2 Minor Version Detection Issue in Qualys/Tenable for CVE-2025-26465 & CVE-2025-26466

[Bug 3800] New: OpenSSH 9.9p2 Minor Version Detection Issue in Qualys/Tenable for CVE-2025-26465 & CVE-2025-26466

[Bug 3800] OpenSSH 9.9p2 Minor Version Detection Issue in Qualys/Tenable for CVE-2025-26465 & CVE-2025-26466

[Bug 3800] OpenSSH 9.9p2 Minor Version Detection Issue in Qualys/Tenable for CVE-2025-26465 & CVE-2025-26466

[Bug 3800] OpenSSH 9.9p2 Minor Version Detection Issue in Qualys/Tenable for CVE-2025-26465 & CVE-2025-26466

[Bug 3800] OpenSSH 9.9p2 Minor Version Detection Issue in Qualys/Tenable for CVE-2025-26465 & CVE-2025-26466