diff --git a/pkgs/tools/networking/openssh/default.nix b/pkgs/tools/networking/openssh/default.nix
index 13e41d0e6fd0..9b604cd1405c 100644
--- a/pkgs/tools/networking/openssh/default.nix
+++ b/pkgs/tools/networking/openssh/default.nix
@@ -6,11 +6,11 @@ in
 
   openssh = common rec {
     pname = "openssh";
-    version = "9.2p1";
+    version = "9.3p1";
 
     src = fetchurl {
       url = "mirror://openbsd/OpenSSH/portable/openssh-${version}.tar.gz";
-      hash = "sha256-P2bb8WVftF9Q4cVtpiqwEhjCKIB7ITONY068351xz0Y=";
+      hash = "sha256-6bq6dwGnalHz2Fpiw4OjydzZf6kAuFm8fbEUwYaK+Kg=";
     };
 
     extraPatches = [ ./ssh-keysign-8.5.patch ];
@@ -51,7 +51,10 @@ in
     extraNativeBuildInputs = [ autoreconfHook ];
 
     extraConfigureFlags = [ "--with-hpn" ];
-    extraMeta.maintainers = with lib.maintainers; [ abbe ];
+    extraMeta = {
+      maintainers = with lib.maintainers; [ abbe ];
+      knownVulnerabilities = [ "CVE-2023-28531" ];
+    };
   };
 
   openssh_gssapi = common rec {
@@ -75,5 +78,6 @@ in
     ];
 
     extraNativeBuildInputs = [ autoreconfHook ];
+    extraMeta.knownVulnerabilities = [ "CVE-2023-28531" ];
   };
 }