According to the security advisory declared by Ubuntu, the below versions are safe to be used against the recent openssh vulnerability(CVE-2024-6387)
https://ubuntu.com/security/notices/USN-6859-1
Ubuntu 24.04
openssh-client - 1:9.6p1-3ubuntu13.3
openssh-server - 1:9.6p1-3ubuntu13.3
Ubuntu 23.10
openssh-client - 1:9.3p1-1ubuntu3.6
openssh-server - 1:9.3p1-1ubuntu3.6
Ubuntu 22.04
openssh-client - 1:8.9p1-3ubuntu0.10
openssh-server - 1:8.9p1-3ubuntu0.10
However according to Qualys security research team who are the discoverer of this vulnerability, the below openssh versions are vulnerable:
https://www.qualys.com/regresshion-cve-2024-6387/
Affected OpenSSH versions
- OpenSSH versions earlier than 4.4p1 are vulnerable to this signalhandler race condition unless they are patched for CVE-2006-5051 andCVE-2008-4109.
- Versions from 4.4p1 up to, but not including, 8.5p1 are notvulnerable due to a transformative patch for CVE-2006-5051, whichmade a previously unsafe function secure.
- The vulnerability resurfaces in versions from 8.5p1 up to, but notincluding, 9.8p1 due to the accidental removal of a criticalcomponent in a function.
That means the above mentioned Ubuntu packages(Ubuntu 24.04,Ubuntu 23.10,Ubuntu 22.04) are not safe as they contain these vulnerable Openssh packages.
Thank you in advance for your response.