Launchpad CVE tracker

CVE 2023-51385

In ssh in OpenSSH before 9.6, OS command injection might occur if a user name or host name has shell metacharacters, and this name is referenced by an expansion token in certain situations. For example, an untrusted Git repository can have a submodule with shell metacharacters in a user name or host name.

Related bugs and status

CVE-2023-51385 (Candidate) is related to these bugs:

Bug #2040406: Merge openssh from Debian unstable for noble

Summary				In	Importance	Status
	2040406	Merge openssh from Debian unstable for noble		openssh (Ubuntu)	Undecided	Fix Released

Bug #2047082: upgrading openssh-server always shows error: rescue-ssh.target is a disabled or a static unit not running, not starting it.

Summary				In	Importance	Status
	2047082	upgrading openssh-server always shows error: rescue-ssh.target is a disabled or a static unit not running, not starting it.		openssh (Ubuntu)	Low	Fix Released

Bug #2047315: [Debian] Critical CVE: CVE-2023-51384/CVE-2023-28531/CVE-2023-48795/CVE-2023-51385/CVE-2021-41617 openssh : multiple CVEs

Summary				In	Importance	Status
	2047315	[Debian] Critical CVE: CVE-2023-51384/CVE-2023-28531/CVE-2023-48795/CVE-2023-51385/CVE-2021-41617 openssh : multiple CVEs		StarlingX	High	Fix Released

Bug #2049552: [noble] ftbfs with new zlib 1.3

Summary				In	Importance	Status
	2049552	[noble] ftbfs with new zlib 1.3		openssh (Ubuntu)	High	Fix Released

See the

CVE page on Mitre.org for more details.

Launchpad.net

CVE 2023-51385

References