Your submission was sent successfully! Close

CVE-2021-28041

Published: 5 March 2021

ssh-agent in OpenSSH before 8.5 has a double free that may be relevant in a few less-common scenarios, such as unconstrained agent-socket access on a legacy operating system, or the forwarding of an agent to an attacker-controlled host.

Priority

Medium

CVSS 3 base score: 7.1

Status

Package Release Status
openssh
Launchpad, Ubuntu, Debian
bionic Not vulnerable
(code not present)
focal
Released (1:8.2p1-4ubuntu0.2)
groovy
Released (1:8.3p1-1ubuntu0.1)
precise Not vulnerable
(code not present)
trusty Not vulnerable
(code not present)
upstream Needs triage

xenial Not vulnerable
(code not present)
openssh-ssh1
Launchpad, Ubuntu, Debian
bionic Not vulnerable
(code not present)
focal Not vulnerable
(code not present)
groovy Not vulnerable
(code not present)
precise Does not exist

trusty Does not exist

upstream Ignored
(frozen on openssh 7.5p)
xenial Does not exist

Notes

AuthorNote
seth-arnold
openssh-ssh1 is provided for compatibility with old devices that
cannot be upgraded to modern protocols. Thus we may not provide security
support for this package if doing so would prevent access to equipment.

References

Bugs