pfSense

pfSense CE 2.6.0 and pfSense Plus 22.01 have OpenSSH-7.9p1 so they are also affected by this.

You cannot go by version number alone. FreeBSD typically carries patches for known vulnerabilities that don't bump the version number of OpenSSH in base. It's not even clear which if any of those are relevant to FreeBSD (e.g. the first one linked definitely isn't as it requires a custom experimental option), some of those may only affect the version in ports and/or portable OpenSSH which isn't in use either.

To say it's vulnerable would necessitate cross-referencing the version in the FreeBSD base tree with changes in OpenSSH made to address these. Only if the CVE is relevant and no fix is present in FreeBSD would it be a concern.

Jim Pingle wrote in #note-2:

You cannot go by version number alone. FreeBSD typically carries patches for known vulnerabilities that don't bump the version number of OpenSSH in base. It's not even clear which if any of those are relevant to FreeBSD (e.g. the first one linked definitely isn't as it requires a custom experimental option), some of those may only affect the version in ports and/or portable OpenSSH which isn't in use either.

To say it's vulnerable would necessitate cross-referencing the version in the FreeBSD base tree with changes in OpenSSH made to address these. Only if the CVE is relevant and no fix is present in FreeBSD would it be a concern.

Either way, even if our current stable releases of both CE and pfSense Plus was vulnerable, which is a question mark, it definitely won't be when the version number bumps up with the next release.

This bug report can be closed. pfSense Plus 22.05 comes with OpenSSH 8.8p1, which is not vulnerable to any of these security issues.