a year ago
Hi Railway Support,
I’m reaching out because we’ve been alerted to a security vulnerability (CVE-2025-26465) affecting OpenSSH versions 6.8p1 to 9.9p1. After checking, we confirmed that our Railway environment is running OpenSSH 9.8p1 (LibreSSL 3.3.6), which is still vulnerable.
We need some clarification on two things:
VerifyHostKeyDNS Configuration – Could you confirm whether
VerifyHostKeyDNSis enabled (yes) or disabled (no) in our environment? If it’s enabled, is there a way for us to disable it, given that we don’t have root access?OpenSSH Upgrade Timeline – Is there a plan to upgrade OpenSSH to 9.9p2 or later? If so, do you have an estimated timeline for when that will happen?
This is important for us to address because the vulnerability could expose SSH connections to potential MITM attacks, and our project is being used in collaboration with international partners.
Appreciate any guidance you can provide on this. Let me know if you need any additional details.
Best,
Sebastian
1 Replies
a year ago
Hi there, thanks for reaching out. These are the answers to the questions asked:
The
VerifyHostKeyDNSis not enabled.For OpenSSH, not to worry because we don't have that user facing.
Status changed to Awaiting User Response Railway • about 1 year ago
7 months ago
This thread has been marked as solved automatically due to a lack of recent activity. Please re-open this thread or create a new one if you require further assistance. Thank you!
Status changed to Solved Railway • 7 months ago