OpenSSH maintainers have released an updated version of the open-source implementation of the SSH protocol to fix three security issues. OpenSSH 9.2/9.2p1 includes a fix for a pre-authentication double-free memory vulnerability that was introduced in OpenSSH 9.1.
- One of the vulnerabilities may allow remote code execution pre-authentication. It will likely be difficult to exploit, but you should patch as updates become available for your operating system.
- If you use OpenSSH, or OpenBSD, the OpenBSD accepts donations to improve the quality and security of the code – https://www.openbsdfoundation.org/
- Check your distributions before panicking here, targeting environments running 9.1, e.g., Debian bookworm, the successor to 11.6 “bullseye”. Odds are you’re on older OpenSSH versions and going to be deploying the latest SSH packages to mitigate any risks. As John suggests, consider contributing to these guys: we all use the heck out of their code, and this is an easy way to support continued improvements and ongoing development/support.
Read more in