SUSE-SU-2025:20160-1

This update for openssh fixes the following issues:

• CVE-2025-26465: Fixed MitM attack against OpenSSH's VerifyHostKeyDNS-enabled client (bsc#1237040).
• CVE-2025-26466: Fixed DoS attack against OpenSSH's client and server (bsc#1237041).

Other bugfixes:

• Fix ssh client segfault with GSSAPIKeyExchange=yes in ssh_kex2 due to gssapi proposal not being correctly initialized (bsc#1236826).
• Add #include <stdlib.h> in some files added by the ldap patch to fix build with gcc14 (bsc#1225904).
• Added missing struct initializer, added missing parameter (bsc#1222840).
• Remove OPENSSLHAVEEVPGCM-ifdef, which is no longer supported by upstream (bsc#1221928).
• Use %config(noreplace) for sshdconfig. In any case, it's recommended to drop a file in sshdconfig.d instead of editing sshd_config (bsc#1221063).
• Add a patch to fix a regression introduced in 9.6 that makes X11 forwarding very slow (bsc#1229449).
• Drop keycat binary that is not supported, except of the code that is used by other SELinux patches (bsc#1229072).
• Fix RFC4256 implementation that keyboard-interactive authentication method can send instructions and sshd shows them to users (bsc#1229010).
• Add attempts to mitigate instances of secrets lingering in memory after a session exits (bsc#1186673, bsc#1213004, bsc#1213008).
• Remove empty line at the end of sshd-sle.pamd (bsc#1227456)