UbuntuUpdates.org

Package "google-guest-agent"

Name: google-guest-agent

Description:

Google Compute Engine Guest Agent
Latest version: 20250116.00-0ubuntu1~24.04.4
Release: noble (24.04)
Level: security
Repository: main
Homepage: https://github.com/GoogleCloudPlatform/guest-agent

Links

All versions of this package
Bug fixes

List of files in package
Repository home page

Download "google-guest-agent"

32-bit deb package
64-bit deb package
APT INSTALL

Other versions of "google-guest-agent" in Noble

Repository Area Version
base main 20240213.00-0ubuntu3
updates main 20250116.00-0ubuntu1~24.04.4

Changelog

Version: 20250116.00-0ubuntu1~24.04.4 2026-06-22 19:07:43 UTC

  google-guest-agent (20250116.00-0ubuntu1~24.04.4) noble-security; urgency=medium

  * SECURITY UPDATE: denial of service via unexpected SSH global responses
    - debian/extra/vendor/golang.org/x/crypto/ssh/mux.go: use a non-blocking
      send for global request responses and drain stale responses.
    - 4e7a7384ecbc8d519f6f4c11b36fa9d761fc8946
    - CVE-2026-39830
  * SECURITY UPDATE: user presence verification bypass for security keys
    - debian/extra/vendor/golang.org/x/crypto/ssh/keys.go: enforce the
      user-presence bit in signatures from FIDO/U2F security keys.
    - b61cf853a89d82cad68da5e12a6beca2116f8456
    - CVE-2026-39831
  * SECURITY UPDATE: denial of service via integer overflow on large writes
    - debian/extra/vendor/golang.org/x/crypto/ssh/channel.go: avoid uint32
      truncation that caused an infinite loop on large channel writes.
    - e052873987615dc96fe67607a9a6adb76311344f
    - CVE-2026-39834
  * SECURITY UPDATE: source-address critical option authorization bypass
    - debian/extra/vendor/golang.org/x/crypto/ssh/server.go: enforce the
      source-address critical option for all callback types.
    - 533fb3f7e4a5ae23f69d1837cd851d35ff5b76ce
    - CVE-2026-46595

 -- Hlib Korzhynskyy <email address hidden> Wed, 17 Jun 2026 16:25:53 -0230
Source diff to previous version
CVE-2026-39830 A malicious SSH peer could send unsolicited global request responses to fill an internal buffer, blocking the connection's read loop. The blocked gor
CVE-2026-39831 The Verify() method for FIDO/U2F security key types (sk-ecdsa-sha2-nistp256@openssh.com, sk-ssh-ed25519@openssh.com) did not check the User Presence
CVE-2026-39834 When writing data larger than 4GB in a single Write call on an SSH channel, an integer overflow in the internal payload size calculation caused the w
CVE-2026-46595 Previously, CVE-2024-45337 fixed an authorization bypass for misused ssh server configurations; if any other type of callback is passed other than pu

Version: 20250116.00-0ubuntu1~24.04.3 2026-01-13 10:07:46 UTC

  google-guest-agent (20250116.00-0ubuntu1~24.04.3) noble-security; urgency=medium

  * SECURITY UPDATE: Denial of service
    - debian/extra/vendor/golang.org/x/crypto was patched
      with a backport of e79546e28b85ea53dd37afe1c4102746ef553b9c in file
      ssh/ssh_gss.go.
    - debian/extra/vendor adding patches-applied and README.txt for
      track/documentation propose about patches applied in vendored sources.
    - CVE-2025-58181

 -- Nishit Majithia <email address hidden> Fri, 09 Jan 2026 16:41:44 +0530
Source diff to previous version
CVE-2025-58181 SSH servers parsing GSSAPI authentication requests do not validate the number of mechanisms specified in the request, allowing an attacker to cause u

Version: 20250116.00-0ubuntu1~24.04.2 2025-11-03 13:07:15 UTC

  google-guest-agent (20250116.00-0ubuntu1~24.04.2) noble-security; urgency=medium

  * SECURITY UPDATE: Authorization bypass in SSH protocol
    - debian/extra/vendor/golang.org/x/crypto/ssh/server.go: Change
      maxCachedPubKeys to 1 and change limit checks. Based on:
      https://github.com/golang/crypto/commit/b4f1988a35dee11ec3e05d6bf3e90b695fbd8909
    - CVE-2024-45337

 -- Hlib Korzhynskyy <email address hidden> Thu, 23 Oct 2025 15:17:27 -0230
Source diff to previous version
CVE-2024-45337 Applications and libraries which misuse connection.serverAuthenticate (via callback field ServerConfig.PublicKeyCallback) may be susceptible to an au

Version: 20250116.00-0ubuntu1~24.04.1 2025-06-26 05:06:59 UTC

  google-guest-agent (20250116.00-0ubuntu1~24.04.1) noble-security; urgency=medium

  * No change rebuild due to golang-1.22 update

 -- Evan Caville <email address hidden> Thu, 19 Jun 2025 16:16:44 +1000
Source diff to previous version

Version: 20240716.00-0ubuntu1~24.04.1 2024-10-24 08:07:02 UTC

  google-guest-agent (20240716.00-0ubuntu1~24.04.1) noble-security; urgency=medium

  * No change rebuild due to golang-1.22 update

 -- Evan Caville <email address hidden> Thu, 24 Oct 2024 10:22:49 +1000


About   -   Send Feedback to @ubuntu_updates