Thanks a lot for the heads-up!  On bookworm, I see an update available, but run into an openssl dependency issue:

# apt upgrade openssh-server
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
Calculating upgrade... Done
Some packages could not be installed. This may mean that you have
requested an impossible situation or if you are using the unstable
distribution that some required packages have not yet been created
or been moved out of Incoming.
The following information may help to resolve the situation:

The following packages have unmet dependencies:
 openssh-server : Depends: openssh-client (= 1:9.2p1-2+deb12u3)
                  Depends: libssl3 (>= 3.0.13) but 3.0.11-1~deb12u2 is to be installed
E: Broken packages

These are my sources:

# cat /etc/apt/sources.list.d/debian*
#deb http://ftp.debian.org/debian bookworm-backports main
#deb http://deb.debian.org/debian bookworm-backports main
deb http://apt-cacher.lon.bitfolk.com/debian/deb.debian.org/debian/ bookworm-backports main
deb http://apt-cacher.lon.bitfolk.com/debian/ftp.debian.org/debian stable main contrib non-free non-free-firmware
deb-src http://apt-cacher.lon.bitfolk.com/debian/ftp.debian.org/debian stable main contrib non-free

deb http://apt-cacher.lon.bitfolk.com/debian/security.debian.org/ stable-security main contrib non-free
deb-src http://apt-cacher.lon.bitfolk.com/debian/security.debian.org/ stable-security main contrib non-free

Any ideas?

I have another VPS running buster, which I note has reached EOL last night.  What absolutely fabulous timing!

https://wiki.debian.org/LTS 

On Mon, 1 Jul 2024 at 11:59, Richard Wallman via BitFolk Users <users@mailman.bitfolk.com> wrote:
CVE-2024-6387 details a flaw in OpenSSH that could *potentially* give an attacker a root shell in "6-8 hours"

It's not in MITRE yet, but Qualys have named it "regreSSHion" and you can read about it on their site

There's an updated package in Debian already, but it looks like the information's still embargoed (even the openssh package changelog is 404ing) so I can only *assume* they've fixed it but can't tell anyone yet (it wasn't on security.debian.org just now either

This is probably an update you don't want to be sleeping on
_______________________________________________
BitFolk Users mailing list <users@mailman.bitfolk.com>
You're subscribed as <bitfolk@adamspiers.org>
Unsubscribe: <https://mailman.bitfolk.com/mailman/postorius/lists/users.mailman.bitfolk.com/>
or send an email to <users-leave@mailman.bitfolk.com>