Looking for OpenSSH patch to resolve CVE-2023-48795?

[prajwalraj]

I have buildroot environment which has the openssh version 8.1p1 and openssl 1.0.2r. Now we are facing CVE-2023-48795 in existing version. Which is actually resolved in openssh 9.6 version but the catch is, it doesnt support openssl 1.0.2r and requires to upgrade the openssl.

So do we have any patch available that can be applied on 8.1p1 without having to upgrade openssh to 9.6 and keeping openssh as is(as its tedius job to upgrade at the current situation inside organization). Or upgrade openssh upto the version that support openssh 1.0.2

Any help would be very greatly appreciated.

[TheFu]

https://ubuntu.com/security/CVE-2023-48795 explains when the fixes were released for supported Ubuntu versions.
On my 20.04 systems, I see that the needed updates arrived Jan 11, 2024.

If you don't have them yet, that's an issue with your package management, not Canonical's release of the fixes. Of course, some snap packages use out of support versions of libopenssl but 18.04 didn't have the problem code, so it isn't any issue.

Read the link carefully. If you are on a supported release of Ubuntu, I think it is handled.