[Bug 3800] New: OpenSSH 9.9p2 Minor Version Detection Issue in Qualys/Tenable for CVE-2025-26465 & CVE-2025-26466

Mon Mar 10 20:45:07 AEDT 2025

https://bugzilla.mindrot.org/show_bug.cgi?id=3800

            Bug ID: 3800
           Summary: OpenSSH 9.9p2 Minor Version Detection Issue in
                    Qualys/Tenable for CVE-2025-26465 & CVE-2025-26466
           Product: Portable OpenSSH
           Version: 9.9p2
          Hardware: All
                OS: Linux
            Status: NEW
          Severity: enhancement
          Priority: P5
         Component: sshd
          Assignee: unassigned-bugs at mindrot.org
          Reporter: suryalegend89 at gmail.com

Dear OpenSSH Team,

I recently upgraded OpenSSH to version 9.9p2 to address CVE-2025-26465
and CVE-2025-26466. When I run ssh -V, it correctly displays
OpenSSH_9.9p2.

However, when performing a vulnerability scan using Qualys or Tenable,
the reported SSH version appears as 9.9 (without the patch version),
leading to a false positive for these CVEs.

Could you please confirm if this is expected behavior? Additionally, is
there a recommended way to ensure that vulnerability scanners correctly
detect the full OpenSSH version, including the patch level?

Thank you for your time and assistance.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.