OpenSSH maintainers have released an updated version of the open-source implementation of the SSH protocol to fix three security issues. OpenSSH 9.2/9.2p1 includes a fix for a pre-authentication double-free memory vulnerability that was introduced in OpenSSH 9.1.
Note
- One of the vulnerabilities may allow remote code execution pre-authentication. It will likely be difficult to exploit, but you should patch as updates become available for your operating system.
- If you use OpenSSH, or OpenBSD, the OpenBSD accepts donations to improve the quality and security of the code – https://www.openbsdfoundation.org/
- Check your distributions before panicking here, targeting environments running 9.1, e.g., Debian bookworm, the successor to 11.6 “bullseye”. Odds are you’re on older OpenSSH versions and going to be deploying the latest SSH packages to mitigate any risks. As John suggests, consider contributing to these guys: we all use the heck out of their code, and this is an easy way to support continued improvements and ongoing development/support.
Read more in
- OpenSSH Release Notes | OpenSSH 9.2/9.2p1 (2023-02-02)
- CVE-2023-25136: Pre-Auth Double Free Vulnerability in OpenSSH Server 9.1
Alex Lim
Alex Lim is a certified IT Technical Support Architect with over 15 years of experience in designing, implementing, and troubleshooting complex IT systems and networks. He has worked for leading IT companies, such as Microsoft, IBM, and Cisco, providing technical support and solutions to clients across various industries and sectors. Alex has a bachelor’s degree in computer science from the National University of Singapore and a master’s degree in information security from the Massachusetts Institute of Technology. He is also the author of several best-selling books on IT technical support, such as The IT Technical Support Handbook and Troubleshooting IT Systems and Networks. Alex lives in Bandar, Johore, Malaysia with his wife and two chilrdren. You can reach him at [email protected] or follow him on Website | Twitter | Facebook
