https://ubuntu.com/security/CVE-2021-41617 is showing as “Needed” in several releases.
According to https://launchpad.net/ubuntu/jammy/+source/openssh/+changelog, 06 Nov 2021, this patch was backported to Debian in openssh 8.5, marked fixed by cjwatson, and merged to Ubuntu in openssh (1:8.7p1-1).
So Ubuntu shows it not-fixed, and Debian shows it fixed.
This discrepancy popped up as a question in AskUbuntu: https://askubuntu.com/questions/1470115