UbuntuUpdates.org

Package "google-guest-agent"

Name: google-guest-agent

Description:

Google Compute Engine Guest Agent

Latest version: 20250116.00-0ubuntu1~22.04.3
Release: jammy (22.04)
Level: security
Repository: main
Homepage: https://github.com/GoogleCloudPlatform/guest-agent

Links


Download "google-guest-agent"


Other versions of "google-guest-agent" in Jammy

Repository Area Version
base main 20220104.00-0ubuntu2
updates main 20250116.00-0ubuntu1~22.04.3

Changelog

Version: 20250116.00-0ubuntu1~22.04.3 2026-06-22 19:07:32 UTC

  google-guest-agent (20250116.00-0ubuntu1~22.04.3) jammy-security; urgency=medium

  * SECURITY UPDATE: denial of service via unexpected SSH global responses
    - debian/extra/vendor/golang.org/x/crypto/ssh/mux.go: use a non-blocking
      send for global request responses and drain stale responses.
    - 4e7a7384ecbc8d519f6f4c11b36fa9d761fc8946
    - CVE-2026-39830
  * SECURITY UPDATE: user presence verification bypass for security keys
    - debian/extra/vendor/golang.org/x/crypto/ssh/keys.go: enforce the
      user-presence bit in signatures from FIDO/U2F security keys.
    - b61cf853a89d82cad68da5e12a6beca2116f8456
    - CVE-2026-39831
  * SECURITY UPDATE: denial of service via integer overflow on large writes
    - debian/extra/vendor/golang.org/x/crypto/ssh/channel.go: avoid uint32
      truncation that caused an infinite loop on large channel writes.
    - e052873987615dc96fe67607a9a6adb76311344f
    - CVE-2026-39834

 -- Hlib Korzhynskyy <email address hidden> Wed, 17 Jun 2026 16:47:00 -0230

Source diff to previous version
CVE-2026-39830 A malicious SSH peer could send unsolicited global request responses to fill an internal buffer, blocking the connection's read loop. The blocked gor
CVE-2026-39831 The Verify() method for FIDO/U2F security key types (sk-ecdsa-sha2-nistp256@openssh.com, sk-ssh-ed25519@openssh.com) did not check the User Presence
CVE-2026-39834 When writing data larger than 4GB in a single Write call on an SSH channel, an integer overflow in the internal payload size calculation caused the w

Version: 20250116.00-0ubuntu1~22.04.2 2026-01-13 10:07:43 UTC

  google-guest-agent (20250116.00-0ubuntu1~22.04.2) jammy-security; urgency=medium

  * SECURITY UPDATE: Denial of service
    - debian/extra/vendor/golang.org/x/crypto was patched
      with a backport of e79546e28b85ea53dd37afe1c4102746ef553b9c in file
      ssh/ssh_gss.go.
    - debian/extra/vendor adding patches-applied and README.txt for
      track/documentation propose about patches applied in vendored sources.
    - CVE-2025-58181

 -- Nishit Majithia <email address hidden> Fri, 09 Jan 2026 16:45:05 +0530

Source diff to previous version
CVE-2025-58181 SSH servers parsing GSSAPI authentication requests do not validate the number of mechanisms specified in the request, allowing an attacker to cause u

Version: 20250116.00-0ubuntu1~22.04.1 2025-11-03 13:07:13 UTC

  google-guest-agent (20250116.00-0ubuntu1~22.04.1) jammy-security; urgency=medium

  * SECURITY UPDATE: Authorization bypass in SSH protocol
    - debian/extra/vendor/golang.org/x/crypto/ssh/server.go: Change
      maxCachedPubKeys to 1 and change limit checks. Based on:
      https://github.com/golang/crypto/commit/b4f1988a35dee11ec3e05d6bf3e90b695fbd8909
    - CVE-2024-45337

 -- Hlib Korzhynskyy <email address hidden> Thu, 23 Oct 2025 15:25:07 -0230

Source diff to previous version
CVE-2024-45337 Applications and libraries which misuse connection.serverAuthenticate (via callback field ServerConfig.PublicKeyCallback) may be susceptible to an au

Version: 20231004.02-0ubuntu1~22.04.5 2024-07-10 08:07:06 UTC

  google-guest-agent (20231004.02-0ubuntu1~22.04.5) jammy-security; urgency=medium

  * No change rebuild due to golang-1.21 update

 -- Nishit Majithia <email address hidden> Wed, 10 Jul 2024 09:42:57 +0530

Source diff to previous version

Version: 20231004.02-0ubuntu1~22.04.4 2024-04-23 13:06:58 UTC

  google-guest-agent (20231004.02-0ubuntu1~22.04.4) jammy-security; urgency=medium

  * SECURITY UPDATE: Denial of service
    - debian/extra/vendor/googgle.golang.org/protobuf was
      patched with a backport of f01a588e5810b90996452eec4a28f22a0afae023
      in files encoding/protojson/well_known_types.go,
      internal/encoding/json/decode.go.
    - debian/extra/vendor adding patches-applied and README.txt for
      track/documentation propose about patches applied in vendored sources.
    - CVE-2024-24786

 -- Leonidas Da Silva Barbosa <email address hidden> Thu, 14 Mar 2024 07:08:12 -0300

CVE-2024-24786 The protojson.Unmarshal function can enter an infinite loop when unmarshaling certain forms of invalid JSON. This condition can occur when unmarshali



About   -   Send Feedback to @ubuntu_updates