Loading...

Linking RHIVOS CVEs to...

Migration: Automation ...

Sync from "Extern...

XML

Word

Printable

Type: Bug
Resolution: Unresolved
Priority: Major
Fix Version/s: rhel-10.2
Affects Version/s: rhel-10.2
Component/s: libssh
Labels:
- rn-yml

Fixed in Build:
libssh-0.12.0-1.el10
Regression:
No
Severity:
Moderate
Epic Link:
CRYPTO-17703

AssignedTeam:
rhel-security-crypto-diamonds

Internal Target Milestone:
26
Story Points:
0
ACKs Check:

QE ack, Dev ack
Blocked:
False
Ready:
False
Blocked Reason:

Hide

None

Show
None
Product Documentation Required:
Yes
Sprint:
None

Acceptance Criteria:

Hide

AC1) upstream tests pass in upstream-testsuit for CVE-2025-5449, CVE-2026-0965, CVE-2026-0966, CVE-2026-0967, CVE-2026-0968

AC2) interoperability test between libssh client and openssh server passes

AC3) extended sanity/libssh-with-PKCS-11-URI test to check Ed25519 keys passes

Show
AC1) upstream tests pass in upstream-testsuit for CVE-2025-5449, CVE-2026-0965, CVE-2026-0966, CVE-2026-0967, CVE-2026-0968 AC2) interoperability test between libssh client and openssh server passes AC3) extended sanity/libssh-with-PKCS-11-URI test to check Ed25519 keys passes
Preliminary Testing:
Pass
Errata Link:
https://errata.engineering.redhat.com/advisory/155379
Test Coverage:

Automated

Release Note Type:
Rebase
Release Note Text:

Hide
Version: 0.12.0

List of highlights:
- adds support for hybrid post-quantum key exchange mechanisms, in particular:
  * sntrup761x25519-sha512
  * sntrup761x25519-sha512@openssh.com
  * mlkem768nistp256-sha256
  * mlkem768x25519-sha256
  * mlkem1024nistp384-sha384
- adds support for GSSAPI Key Exchange (RFC 4462, RFC 8732)
- adds support for Ed25519 keys through PKCS#11
- adds support for FIDO/U2F keys, compatible with OpenSSH
- adds new configuration options:
  * RequiredRsaSize
  * AddressFamily (client)
  * GSSAPIKeyExchange
  * GSSAPIKexAlgorithms
- adds more OpenSSH-compatible percent expansion characters
- adds API functions for signing arbitrary data with SSH keys
- bumps minimal RSA key size to 1024
- improves the stability and compatibility of ProxyJump
- adds functionality to obtain a list of configured identities
- adds new PKI context structure for key operations

Show
Version: 0.12.0 List of highlights: - adds support for hybrid post-quantum key exchange mechanisms, in particular:   * sntrup761x25519-sha512   * sntrup761x25519-sha512@openssh.com   * mlkem768nistp256-sha256   * mlkem768x25519-sha256   * mlkem1024nistp384-sha384 - adds support for GSSAPI Key Exchange (RFC 4462, RFC 8732) - adds support for Ed25519 keys through PKCS#11 - adds support for FIDO/U2F keys, compatible with OpenSSH - adds new configuration options:   * RequiredRsaSize   * AddressFamily (client)   * GSSAPIKeyExchange   * GSSAPIKexAlgorithms - adds more OpenSSH-compatible percent expansion characters - adds API functions for signing arbitrary data with SSH keys - bumps minimal RSA key size to 1024 - improves the stability and compatibility of ProxyJump - adds functionality to obtain a list of configured identities - adds new PKI context structure for key operations
Release Note Status:
Proposed
ProdDocsReview-CCS:
Unspecified
ProdDocsReview-Dev:
Unspecified
ProdDocsReview-QE:
Unspecified

Experience:

PX Impact Score:
SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

Planning:
None

The 0.12 release of libssh is expected in December. Rebase to this release to bring hybrid PQC key exchange to RHEL 10.

blocks

RHEL-133522 Enable MLKEM in all libssh policies

Release Pending

links to

RHSA-2025:155379 libssh update

Assignee:: Pavol Zacik

Reporter:: Pavol Zacik

Developer:: Pavol Zacik

QA Contact:: Ganna Starovoytova

Doc Contact:: Mirek Jahoda

Votes:: 0 Vote for this issue

Watchers:: 9 Start watching this issue

Created:: 2025/12/04 10:54 AM

Updated:: 2026/02/23 4:14 PM

Target end:: 2026/02/23

Next Planned Release Date:: 2026/05/12

Details

Description

Attachments

Issue Links

Easy Agile Planning Poker

Activity

People

Dates