The following summary from Debian's security list:
The Qualys Threat Research Unit (TRU) discovered that OpenSSH, an implementation of the SSH protocol suite, is prone to a signal handler race condition. If a client does not authenticate within LoginGraceTime seconds (120 by default), then sshd's SIGALRM handler is called asynchronously and calls various functions that are not async-signal-safe. A remote unauthenticated attacker can take advantage of this flaw to
execute arbitrary code with root privileges. This flaw affects sshd in its default configuration.
On June 6, 2024, this signal handler race condition was fixed by commit
81c1099 ("Add a facility to sshd(8) to penalise particular problematic
client behaviours"), which moved the async-signal-unsafe code from
sshd's SIGALRM handler to sshd's listener process, where it can be
handled synchronously:
Because this fix is part of a large commit (81c1099), on top of an even
larger defense-in-depth commit (03e3de4, "Start the process of splitting
sshd into separate binaries"), it might prove difficult to backport.
Oh shit, now squash on merge folks can claim "defense-in-depth".
Always makes me think of this comic by geek and poke
It says 4.4 to 8.4 versions are not vulnerable. A lot of old distro releases are on these versions, Debian 10, 11, Ubuntu 20.04 LTS is not affected https://pkgs.org/download/openssh-server