UbuntuUpdates.org

Package "google-guest-agent"

Name: google-guest-agent

Description:

Google Compute Engine Guest Agent
Latest version: 20250506.01-0ubuntu2.1
Release: resolute (26.04)
Level: security
Repository: main
Homepage: https://github.com/GoogleCloudPlatform/guest-agent

Links

All versions of this package
Bug fixes

List of files in package
Repository home page

Download "google-guest-agent"

32-bit deb package
64-bit deb package
APT INSTALL

Other versions of "google-guest-agent" in Resolute

Repository Area Version
base main 20250506.01-0ubuntu2

Changelog

Version: 20250506.01-0ubuntu2.1 2026-06-22 19:07:52 UTC

  google-guest-agent (20250506.01-0ubuntu2.1) resolute-security; urgency=medium

  * SECURITY UPDATE: denial of service via unexpected SSH global responses
    - debian/extra/vendor/golang.org/x/crypto/ssh/mux.go: use a non-blocking
      send for global request responses and drain stale responses.
    - 4e7a7384ecbc8d519f6f4c11b36fa9d761fc8946
    - CVE-2026-39830
  * SECURITY UPDATE: user presence verification bypass for security keys
    - debian/extra/vendor/golang.org/x/crypto/ssh/keys.go: enforce the
      user-presence bit in signatures from FIDO/U2F security keys.
    - b61cf853a89d82cad68da5e12a6beca2116f8456
    - CVE-2026-39831
  * SECURITY UPDATE: denial of service via integer overflow on large writes
    - debian/extra/vendor/golang.org/x/crypto/ssh/channel.go: avoid uint32
      truncation that caused an infinite loop on large channel writes.
    - e052873987615dc96fe67607a9a6adb76311344f
    - CVE-2026-39834
  * SECURITY UPDATE: source-address critical option authorization bypass
    - debian/extra/vendor/golang.org/x/crypto/ssh/server.go: enforce the
      source-address critical option for all callback types.
    - 533fb3f7e4a5ae23f69d1837cd851d35ff5b76ce
    - CVE-2026-46595

 -- Hlib Korzhynskyy <email address hidden> Wed, 17 Jun 2026 16:04:10 -0230
CVE-2026-39830 A malicious SSH peer could send unsolicited global request responses to fill an internal buffer, blocking the connection's read loop. The blocked gor
CVE-2026-39831 The Verify() method for FIDO/U2F security key types (sk-ecdsa-sha2-nistp256@openssh.com, sk-ssh-ed25519@openssh.com) did not check the User Presence
CVE-2026-39834 When writing data larger than 4GB in a single Write call on an SSH channel, an integer overflow in the internal payload size calculation caused the w
CVE-2026-46595 Previously, CVE-2024-45337 fixed an authorization bypass for misused ssh server configurations; if any other type of callback is passed other than pu


About   -   Send Feedback to @ubuntu_updates