USN-8090-2

Details

USN-8090-1 fixed vulnerabilities in OpenSSH. This update provides the corresponding updates for Ubuntu 20.04 LTS.

Original advisory details:

Jeremy Brown discovered that the OpenSSH GSSAPI Key Exchange incorrectly handled disconnecting clients. In non-default configurations where the GSSAPIKeyExchange setting is enabled, a remote attacker could use this issue to cause OpenSSH to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2026-3497)

David Leadbeater discovered that OpenSSH incorrectly handled certain control characters in usernames. When untrusted usernames and the ProxyCommand are being used, an attacker could possibly use this issue to execute arbitrary code. (CVE-2025-61984)

David Leadbeater discovered that OpenSSH incorrectly handled NULL characters in ssh:// URIs. When the ProxyCommand is being used, an attacker could possibly use this issue to execute arbitrary code. (CVE-2025-61985)

Affected Packages

openssh

Ubuntu Pro 20.04 LTS

Fixed in:

1:8.2p1-4ubuntu0.13+esm1

References

REPORT

https://ubuntu.com/security/CVE-2025-61984

REPORT

https://ubuntu.com/security/CVE-2025-61985

REPORT

https://ubuntu.com/security/CVE-2026-3497

ADVISORY

https://ubuntu.com/security/notices/USN-8090-2