https://bugzilla.mindrot.org/show_bug.cgi?id=3800
Bug ID: 3800
Summary: OpenSSH 9.9p2 Minor Version Detection Issue in
Qualys/Tenable for CVE-2025-26465 & CVE-2025-26466
Product: Portable OpenSSH
Version: 9.9p2
Hardware: All
OS: Linux
Status: NEW
Severity: enhancement
Priority: P5
Component: sshd
Assignee: unassigned-b...@mindrot.org
Reporter: suryalegen...@gmail.com
Dear OpenSSH Team,
I recently upgraded OpenSSH to version 9.9p2 to address CVE-2025-26465
and CVE-2025-26466. When I run ssh -V, it correctly displays
OpenSSH_9.9p2.
However, when performing a vulnerability scan using Qualys or Tenable,
the reported SSH version appears as 9.9 (without the patch version),
leading to a false positive for these CVEs.
Could you please confirm if this is expected behavior? Additionally, is
there a recommended way to ensure that vulnerability scanners correctly
detect the full OpenSSH version, including the patch level?
Thank you for your time and assistance.
--
You are receiving this mail because:
You are watching the assignee of the bug.
_______________________________________________
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs
