main/openssh: security upgrade to 9.9_p2

- CVE-2025-26465 - ssh(1) in OpenSSH versions 6.8p1 to
9.9p1 (inclusive) contained a logic error that allowed an on-path
attacker (a.k.a MITM) to impersonate any server when the
VerifyHostKeyDNS option is enabled. This option is off by default.

- CVE-2025-26466 - sshd(8) in OpenSSH versions 9.5p1 to
9.9p1 (inclusive) is vulnerable to a memory/CPU denial-of-service
related to the handling of SSH2_MSG_PING packets. This condition may
be mitigated using the existing PerSourcePenalties feature.

https://openwall.com/lists/oss-security/2025/02/18/1

main/openssh/APKBUILD

@@ -3,9 +3,9 @@
 # Contributor: Will Sinatra <wpsinatra@gmail.com>
 # Maintainer: Natanael Copa <ncopa@alpinelinux.org>
 pkgname=openssh
-pkgver=9.9_p1
+pkgver=9.9_p2
 _myver=${pkgver%_*}${pkgver#*_}
-pkgrel=2
+pkgrel=0
 pkgdesc="Port of OpenBSD's free SSH release"
 url="https://www.openssh.com/portable.html"
 arch="all"
@@ -55,7 +55,6 @@ source="https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-$_myver.tar
 	include-config-dir.patch
 	sshd-session-flavor.patch
 	disable-fzero-call-used-regs-used-on-ppc64le.patch
-	musl-btmp.patch
 
 	sshd.initd
 	sshd.confd
@@ -63,6 +62,9 @@ source="https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-$_myver.tar
 	"
 
 # secfixes:
+#   9.9_p2-r0:
+#     - CVE-2025-26465
+#     - CVE-2025-26466
 #   9.8_p1-r0:
 #     - CVE-2024-6387
 #   9.6_p1-r0:
@@ -300,15 +302,14 @@ _server_with_flavor() {
 }
 
 sha512sums="
-3cc0ed97f3e29ecbd882eca79239f02eb5a1606fce4f3119ddc3c5e86128aa3ff12dc85000879fccc87b60e7d651cfe37376607ac66075fede2118deaa685d6d  openssh-9.9p1.tar.gz
-b10a9eb167cfbb23b144fdb03f30a0363be9a715ceb3c202c971ec4f36160e434cc6bbad91d0e49106189e07152067f7e227df28b5a1b82f3901cb36cba321b5  fix-utmp.patch
+4c6d839aa3189cd5254c745f2bd51cd3f468b02f8e427b8d7a16b9ad017888a41178d2746dc51fb2d3fec5be00e54b9ab7c32c472ca7dec57a1dea4fc9840278  openssh-9.9p2.tar.gz
+53c99ef1d3a1f6ab4a9937986330787b1014098a39cc1639b36538e41e9322f81ee2f7f0cb6e2fbc4ac40c03c08e2b34df0a58316918bcecbb02539b0058d182  fix-utmp.patch
 8df35d72224cd255eb0685d2c707b24e5eb24f0fdd67ca6cc0f615bdbd3eeeea2d18674a6af0c6dab74c2d8247e2370d0b755a84c99f766a431bc50c40b557de  disable-forwarding-by-default.patch
 e85754b2b6c4c37b432d166e63d6293e58c9c8bb6ebd8d3527c83afa2337f14c06d6a4e008ffcc0afd7dc3409e960b89c1dde41d2543c4be7d4813d477ff3a5e  avoid-redefined-warnings-when-building-with-utmps.patch
 1fb55aae445dfd9ededeba1f204a0c3e4a752128ad0a388f473ace074e68b040112f309192243621fd4f16b0d1cce4f083612b1639c3e18166abf92babe52c93  default-internal-sftp.patch
 ff73563e6018e94a1b2dd320cf32426f3945c0f4aa509eeb95783c34dd5c5c8dec91f6d71e4d538c4735539a4d8c724cf61d71513887d8a96b84109ae3a5562e  include-config-dir.patch
 ec43cda33567aee2b20a79a70d9204e53d4d6b7022e4b06189f17df834ba9f6aeb17b2c804b73ca1e922f575b4a1c61b880420c6b10aeb8d31cb805cffad7dd4  sshd-session-flavor.patch
 6250ab32cd1018c6372b0c5c61eeb091fba3d9c99da56078d1bdfb89b06b90dab373c3a22b61acde577f29834f17a704e263b6e2a67e8234426e947a42a04d6f  disable-fzero-call-used-regs-used-on-ppc64le.patch
-f4ec725fdbd72ae374c0a4b753812e8a8fef17909766ced83d08f22eae00edf04aec9cefad23ab1bffb7a346da29d04e2700cccdea786d7c4c9b97a664743cb4  musl-btmp.patch
 2cab1b844d4efb53f848308b4aaedbe74888d2e85bcb2e4dfdae7c18ac3ecea707829072a4276fbe90dfe2f537bbf48127d96f29ec5154e96c0bfb7437910d53  sshd.initd
 be7dd5f6d319b2e03528525a66a58310d43444606713786b913a17a0fd9311869181d0fb7927a185d71d392674857dea3c97b6b8284886227d47b36193471a09  sshd.confd
 5d3b62d724d930bafb6263d0600828771e667751cb5ba5070414dce7c3d0559bebdfb05960b721cfd20c81d3ad824291ffb10498798171c8bbbcbf389b706265  sshd.pam

main/openssh/fix-utmp.patch

@@ -23,12 +23,3 @@ diff -rNU3 openssh-9.0p1.old/loginrec.c openssh-9.0p1/loginrec.c
  # ifdef HAVE_HOST_IN_UTMPX
  	strncpy(utx->ut_host, li->hostname,
  	    MIN_SIZEOF(utx->ut_host, li->hostname));
-@@ -787,7 +787,7 @@
- 	if (li->hostaddr.sa.sa_family == AF_INET)
- 		utx->ut_addr = li->hostaddr.sa_in.sin_addr.s_addr;
- # endif
--# ifdef HAVE_ADDR_V6_IN_UTMP
-+# ifdef HAVE_ADDR_V6_IN_UTMPX
- 	/* this is just a 128-bit IPv6 address */
- 	if (li->hostaddr.sa.sa_family == AF_INET6) {
- 		sa6 = ((struct sockaddr_in6 *)&li->hostaddr.sa);

main/openssh/musl-btmp.patch

@@ -1,11 +0,0 @@
---- a/loginrec.c
-+++ b/loginrec.c
-@@ -614,7 +614,7 @@
-  ** into account.
-  **/
- 
--#if defined(USE_UTMP) || defined (USE_WTMP) || defined (USE_LOGIN)
-+#if defined(USE_BTMP) || defined(USE_UTMP) || defined (USE_WTMP) || defined (USE_LOGIN)
- 
- /* build the utmp structure */
- void