The regreSSHion bug

ciascu writes: A new SSH bug — this time in OpenSSH — provides full root access in the default configuration, as highlighted by the Qualsys Threat Research Unit. According to the Ubuntu Security Team:

It was discovered that OpenSSH incorrectly handled signal management. A remote attacker could use this issue to bypass authentication and remotely access systems without proper credentials.

Further detail is provided in the 9.8p1 release notes:

A critical vulnerability in sshd(8) was present in Portable OpenSSH versions between 8.5p1 and 9.7p1 (inclusive) that may allow arbitrary code execution with root privileges.
Successful exploitation has been demonstrated on 32-bit Linux/glibc systems with ASLR. Under lab conditions, the attack requires on average 6-8 hours of continuous connections up to the maximum the server will accept. Exploitation on 64-bit systems is believed to be possible but has not been demonstrated at this time. It's likely that these attacks will be improved upon.

Upgrading as a priority, before exploits are spotted in the wild, is recommended.