ClickCease Debian and Ubuntu Fixed OpenSSH Vulnerabilities

Content Table

Join Our Popular Newsletter

Join 4,500+ Linux & Open Source Professionals!

2x a month. No spam.

Debian and Ubuntu Fixed OpenSSH Vulnerabilities

Rohan Timalsina

January 8, 2024 - TuxCare expert team

Debian and Ubuntu have released security updates for their respective OS versions, addressing five flaws discovered in the openssh package. In this article, we will delve into the intricacies of these vulnerabilities, shedding light on their nature and the recommended measures to safeguard your OpenSSH environment.


Multiple OpenSSH Vulnerabilities Fixed



Cvss 3 Severity Score: 7.0 High

One of the vulnerabilities, tracked under CVE-2021-41617, exposes a flaw in the initialization of supplemental groups when executing AuthorizedKeysCommand or AuthorizedPrincipalsCommand. Specifically, when a directive such as AuthorizedKeysCommandUser or AuthorizedPrincipalsCommandUser is set to run the command as a different user, sshd fails to correctly initialize supplemental groups. This oversight results in these commands inheriting the groups that sshd was originally started with, potentially leading to unintended access.




Cvss 3 Severity Score: 9.8 Critical

Luci Stanescu identified a OpenSSH vulnerability that stems from an error preventing the communication of constraints to the ssh-agent when adding smartcard keys. The issue occurs when per-hop destination constraints are in place, causing keys to be added to the agent without the intended constraints. This could potentially lead to unauthorized access or misuse of keys.




Cvss 3 Severity Score: 5.9 Medium

Fabian Baeumer, Marcus Brinkmann, and Joerg Schwenk uncovered the vulnerability known as the Terrapin attack. This attack exploits a prefix truncation weakness in the SSH protocol, allowing a Man-in-the-Middle (MITM) attacker to compromise the integrity of the early encrypted SSH transport protocol. By sending extra messages before encryption starts and deleting an equal number of consecutive messages immediately after encryption begins, an attacker can achieve a limited break in the system’s security.

For more detailed information about the Terrapin attack, you can refer to




Cvss 3 Severity Score: 5.5 Medium

This OpenSSH vulnerability highlights an issue with PKCS#11-hosted private keys. When adding these keys while specifying destination constraints and the PKCS#11 token returns multiple keys, only the first key has the constraints applied. This oversight could potentially lead to unintended access or misuse of keys.




Cvss 3 Severity Score: 9.8 Critical

This flaw exposes a potential command injection risk when an invalid user or hostname containing shell metacharacters is passed to ssh. If a ProxyCommand, LocalCommand directive, or match exec predicate references the user or hostname via expansion tokens, an attacker who can supply arbitrary user/hostnames to ssh might exploit this vulnerability. This scenario could arise, for instance, in git repositories with submodules containing shell characters in user or hostname information.




In the light of these flaws, it is crucial to take proactive measures to secure your OpenSSH environment. Updating your OpenSSH packages is highly recommended to patch these vulnerabilities and ensure the ongoing security of your systems. A reboot will be required after the update to apply the changes.

For rebootless vulnerability patching, you can utilize KernelCare Enterprise live patching solution. Moreover, it automatically applies all security updates so you don’t have to worry about missing patches. KernelCare supports all popular enterprise distributions, including Ubuntu, Debian, RHEL, CentOS, AlmaLinux, Rocky Linux, Oracle Linux, and more.


Source: DSA and USN

Debian and Ubuntu Fixed OpenSSH Vulnerabilities
Article Name
Debian and Ubuntu Fixed OpenSSH Vulnerabilities
Explore the recent OpenSSH vulnerabilities addressed in the Debian and Ubuntu security updates and learn how to safeguard your systems.
Publisher Name
Publisher Logo

Looking to automate vulnerability patching without kernel reboots, system downtime, or scheduled maintenance windows?

Learn About Live Patching with TuxCare

Become a TuxCare Guest Writer

Get started




Linux & Open Source

Subscribe to
our newsletter