CVE-2021-41617 is showing as “Needed” in several releases.

According to, 06 Nov 2021, this patch was backported to Debian in openssh 8.5, marked fixed by cjwatson, and merged to Ubuntu in openssh (1:8.7p1-1).

So Ubuntu shows it not-fixed, and Debian shows it fixed.

This discrepancy popped up as a question in AskUbuntu:


Thanks. Looks like nobody had updated the status on that CVE in a while. I’ve updated it now, jammy and kinetic are indeed not affected by the CVE.