Situation
- Vulnerability CVE-2023-51385 has been discovered for openssh-server package on Ubuntu/Debian servers.
Impact
In ssh in OpenSSH before 9.6, OS command injection might occur if a user name or host name has shell metacharacters, and this name is referenced by an expansion token in certain situations. For example, an untrusted Git repository can have a submodule with shell metacharacters in a user name or host name.
Call to action
Issue has been fixed and deployed with openssh-server package version 8.2p1-4ubuntu0.11.
If server is up to date, no further action is required.