OpenSSH CVE-2024-6387: Announcing hotfix releases for 21.05, 23.05, 23.11
Scheduled Maintenance Report for Flying Circus
Completed
The hotfix for release 24.05 (non-production) has just been published and is rolled out right now.

For release 21.05, we have decided __not__ to publish a hotfix release, as that platform release is out of its support window for several years now.

Hence, all planned hotifxes for the OpenSSH CVE-2024-6387 have now been published.
Posted Jul 02, 2024 - 16:23 CEST
Update
The hotfixes for 21.05 and 24.05 (non-production) are still not fully ready. We will continue to work on them tomorrow during business hours and keep you updated.
Posted Jul 01, 2024 - 22:04 CEST
Update
The hotfixes for 23.11 and 23.05 are released on 16:00 UTC today. The hotfixes for 21.05 and 24.05 (nonproduction) are still being worked on and will follow later today, we will keep you updated here and in the release changelog: https://doc.flyingcircus.io/platform/changes/2024/r021.html

Please note that your machines will still adhere to their configured maintenance windows and lead times for installing the update, potentially delaying the rollout.
Posted Jul 01, 2024 - 17:48 CEST
In progress
Scheduled maintenance is currently in progress. We will provide updates as necessary.
Posted Jul 01, 2024 - 17:30 CEST
Scheduled
The openSSH team has [released an urgent patch release](https://www.openssh.com/txt/release-9.8) fixing a vulnerability that may allow an attacker to execute code as a root user on target machines. We are preparing an out-of-schedule hotfix release to resolve this vulnerability in our platform for the following release versions:
- 23.11
- 23.05
- 21.05
- 24.05 (non-production)

Details on the vulnerability can be found here: https://www.qualys.com/2024/07/01/cve-2024-6387/regresshion.txt

The exact kind of mitigations might vary between the releases and can involve configuration changes, patching the openSSH release, or updating the used openSSH version. This will be communicated once the exact hotfixes are ready.
Posted Jul 01, 2024 - 14:33 CEST
This scheduled maintenance affected: Central services.