diff --git a/changelog/security/2021-12-09-openssh-8.8.md b/changelog/security/2021-12-09-openssh-8.8.md
new file mode 100644
index 0000000000..4d2a415c61
--- /dev/null
+++ b/changelog/security/2021-12-09-openssh-8.8.md
@@ -0,0 +1 @@
+- [CVE-2021-41617](https://nvd.nist.gov/vuln/detail/CVE-2021-41617)
diff --git a/changelog/updates/2021-12-09-openssh-8.8.md b/changelog/updates/2021-12-09-openssh-8.8.md
new file mode 100644
index 0000000000..4ccf56de64
--- /dev/null
+++ b/changelog/updates/2021-12-09-openssh-8.8.md
@@ -0,0 +1 @@
+- openssh ([8.8](http://www.openssh.com/txt/release-8.8))
diff --git a/coreos-base/coreos-init/coreos-init-0.0.1-r171.ebuild b/coreos-base/coreos-init/coreos-init-0.0.1-r172.ebuild
similarity index 100%
rename from coreos-base/coreos-init/coreos-init-0.0.1-r171.ebuild
rename to coreos-base/coreos-init/coreos-init-0.0.1-r172.ebuild
diff --git a/coreos-base/coreos-init/coreos-init-9999.ebuild b/coreos-base/coreos-init/coreos-init-9999.ebuild
index e9419b49a5..de1299b28c 100644
--- a/coreos-base/coreos-init/coreos-init-9999.ebuild
+++ b/coreos-base/coreos-init/coreos-init-9999.ebuild
@@ -10,7 +10,7 @@ CROS_WORKON_REPO="https://github.com"
 if [[ "${PV}" == 9999 ]]; then
 	KEYWORDS="~amd64 ~arm ~arm64 ~x86"
 else
-	CROS_WORKON_COMMIT="58360ed0da957c2cd0ae9eeab645735d814f565c" # flatcar-master
+	CROS_WORKON_COMMIT="80b3b3cd021b4120cd9218b33b1f92936abe00bb" # flatcar-master
 	KEYWORDS="amd64 arm arm64 x86"
 fi
 
diff --git a/net-misc/openssh/Manifest b/net-misc/openssh/Manifest
index abbd256887..883f7ee765 100644
--- a/net-misc/openssh/Manifest
+++ b/net-misc/openssh/Manifest
@@ -1,6 +1,6 @@
-DIST openssh-8.7p1+x509-13.2.diff.gz 1068695 BLAKE2B e542e5444f8360e0e28288d6a58d66995ff90e9f6bb1490b04a205162036e371a20d612655ca1bd479b8a04d5ccbfd9b7189b090d50ccbb019848e28571b036b SHA512 342e1ee050258c99f8f206664ef756e1be2c82e5faa5f966b80385aa2c6c601974681459ddba32c1ca5c33eda530af681e753471706c71902c1045a2913cd540
-DIST openssh-8.7p1-sctp-1.2.patch.xz 6740 BLAKE2B 468a455018ffddf4fa64d63acb732ad3e1fb722ae8b24d06cf3a683167a4580626b477bbc286f296c83d39dd36c101ac58597a21daa63de83ad55af00aa3a6be SHA512 aa9067c9025b6e4edfad5e45ec92da43db14edb11aae02cbbc296e66b48377cbbf62cdafcdd5edfd1fd4bf69420ee017223ab52e50a42b1976002d767984777c
-DIST openssh-8.7p1.tar.gz 1814595 BLAKE2B 9fdb8898485053d08c9eca419c15d0d03b7a60152cf6a9d7f1beed3a21c9e6ac3bd9f854580e6e474fb0c871f3d4be9ef4b49bee8c355d9e5769a5505f4e6ea9 SHA512 08c81024d9e1248abfda6cc874886ff5ae916669b93cd6aff640e0614ee8cbcbc3fe87a9ce47136b6443ddbb1168b114367c74e117551905994e1a7e3fa2c0c2
+DIST openssh-8.8p1+x509-13.2.3.diff.gz 1071138 BLAKE2B dfbe53ccfdfe0a3da9bac927c5bb0ccfeb20f1ba69cef2ffb52999e6f6b0a3282e28a888aab40096fe9eed819f4c9b27592a8771d786580b8fa4f507f6b02557 SHA512 e55e9cdcde1b02b2799600083db8c3b85d207b251b99b4efabe8614bedf1daae28e5ed10cbe1f6a2e5ba766fe1eaf41be9e90fefdaae1352808c504fc0f4e7e6
+DIST openssh-8.8p1-sctp-1.2.patch.xz 6744 BLAKE2B 9f99e0abfbfbda2cc1c7c2a465d044c900da862e5a38f01260f388ac089b2e66c5ea7664d71d18b924552ae177e5893cdcbfbccc20eeb3aaeae00b3d552379e3 SHA512 5290c5ef08a418dcc9260812d8e75ce266e22e2258514f11da6fb178e0ae2ef16046523f72a50f74ae7b98e7eb52d16143befc8ce2919041382d314aa05adda0
+DIST openssh-8.8p1.tar.gz 1815060 BLAKE2B 3a054ce19781aceca5ab1a0839d7435d88aff4481e8c74b91ffd2046dc8b6f03d6bf584ecda066c0496acf43cea9ab4085f26a29e34e20736e752f204b8c76c3 SHA512 d44cd04445f9c8963513b0d5a7e8348985114ff2471e119a6e344498719ef40f09c61c354888a3be9dabcb5870e5cbe5d3aafbb861dfa1d82a4952f3d233a8df
 DIST openssh-8_5_P1-hpn-AES-CTR-15.2.diff 30096 BLAKE2B f0c020dd2403806c79d4c37a019996d275655b04997301e247f5c4dd7fad35d12b3b7c25afb1b078d915ef2a4ae02f736f0aec9ba2a8c56a405d7ca303bcadf7 SHA512 4c2dbf99a9b5953fdb955f700272bbaeaa025f108a8860d2190197962b849f8385327af82c4d6a3a130a7fba35a74a8ec9437d642867601acb29817c49632a8f
 DIST openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff 51428 BLAKE2B 370b88a7da7f148bf5a4d445f05cf593b486e9df53bba027e2e179726f534b68cf9d94edd6e53024e0b6ff5f20e568727bc9d26c94d0d415603602a80d3ad241 SHA512 2d8d887901164b33b2799ff3ec72e86a39ae4a1696e52bcee0872dbae7772fcc534351e6e7f87126ee71b164c74e9091350f14b782f4b242a09f09b4f50d047a
 DIST openssh-8_5_P1-hpn-PeakTput-15.2.diff 2429 BLAKE2B 849bf3c313719ab7a25c75e82d5dc5ac98365a038b2a66fe58d01eae5b20c7777258b94b5830e799d6909e75c69753cda05a910f3bdab9606fb7d5efa68e05f1 SHA512 c4a56fab55fabd1d902d45f235b603708d43f969920e45c9a57e557dccfa9cade2ec61f26d1ace938f6f73e79f17b12f119b5aea9166cbda8e3435b910500914
diff --git a/net-misc/openssh/files/openssh-8.7_p1-X509-glue-13.2.patch b/net-misc/openssh/files/openssh-8.7_p1-X509-glue-13.2.patch
deleted file mode 100644
index d6f5e42027..0000000000
--- a/net-misc/openssh/files/openssh-8.7_p1-X509-glue-13.2.patch
+++ /dev/null
@@ -1,73 +0,0 @@
-diff -ur '--exclude=.*.un~' a/openssh-8.7p1+x509-13.2.diff b/openssh-8.7p1+x509-13.2.diff
---- a/openssh-8.7p1+x509-13.2.diff	2021-08-30 17:47:40.415668320 -0700
-+++ b/openssh-8.7p1+x509-13.2.diff	2021-08-30 17:49:14.916114987 -0700
-@@ -51082,12 +51082,11 @@
-  
-  install-files:
-  	$(MKDIR_P) $(DESTDIR)$(bindir)
--@@ -391,6 +368,8 @@
-+@@ -391,6 +368,7 @@
-  	$(MKDIR_P) $(DESTDIR)$(mandir)/$(mansubdir)5
-  	$(MKDIR_P) $(DESTDIR)$(mandir)/$(mansubdir)8
-  	$(MKDIR_P) $(DESTDIR)$(libexecdir)
- +	$(MKDIR_P) $(DESTDIR)$(sshcadir)
--+	$(MKDIR_P) $(DESTDIR)$(piddir)
-  	$(MKDIR_P) -m 0755 $(DESTDIR)$(PRIVSEP_PATH)
-  	$(INSTALL) -m 0755 $(STRIP_OPT) ssh$(EXEEXT) $(DESTDIR)$(bindir)/ssh$(EXEEXT)
-  	$(INSTALL) -m 0755 $(STRIP_OPT) scp$(EXEEXT) $(DESTDIR)$(bindir)/scp$(EXEEXT)
-@@ -69793,7 +69792,7 @@
- -	echo "putty interop tests not enabled"
- -	exit 0
- -fi
--+$REGRESS_INTEROP_PUTTY || { echo "putty interop tests are not enabled" >&1;  exit 1; }
-++$REGRESS_INTEROP_PUTTY || { echo "putty interop tests are not enabled" >&1;  exit 0; }
-  
-  for c in aes 3des aes128-ctr aes192-ctr aes256-ctr chacha20 ; do
-  	verbose "$tid: cipher $c"
-@@ -69808,7 +69807,7 @@
- -	echo "putty interop tests not enabled"
- -	exit 0
- -fi
--+$REGRESS_INTEROP_PUTTY || { echo "putty interop tests are not enabled" >&1;  exit 1; }
-++$REGRESS_INTEROP_PUTTY || { echo "putty interop tests are not enabled" >&1;  exit 0; }
-  
-  for k in dh-gex-sha1 dh-group1-sha1 dh-group14-sha1 ecdh ; do
-  	verbose "$tid: kex $k"
-@@ -69823,7 +69822,7 @@
- -	echo "putty interop tests not enabled"
- -	exit 0
- -fi
--+$REGRESS_INTEROP_PUTTY || { echo "putty interop tests are not enabled" >&1;  exit 1; }
-++$REGRESS_INTEROP_PUTTY || { echo "putty interop tests are not enabled" >&1;  exit 0; }
-  
-  if [ "`${SSH} -Q compression`" = "none" ]; then
-  	comp="0"
-@@ -70130,9 +70129,9 @@
-  
- +# cross-project configuration
- +if test "$sshd_type" = "pkix" ; then
--+  unset_arg=''
-++  unset_arg=
- +else
--+  unset_arg=none
-++  unset_arg=
- +fi
- +
-  cat > $OBJ/sshd_config.i << _EOF
-@@ -131673,16 +131672,6 @@
- +int	 asnmprintf(char **, size_t, int *, const char *, ...)
-  	    __attribute__((format(printf, 4, 5)));
-  void	 msetlocale(void);
--diff -ruN openssh-8.7p1/version.h openssh-8.7p1+x509-13.2/version.h
----- openssh-8.7p1/version.h	2021-08-20 07:03:49.000000000 +0300
--+++ openssh-8.7p1+x509-13.2/version.h	2021-08-30 20:07:00.000000000 +0300
--@@ -2,5 +2,4 @@
-- 
-- #define SSH_VERSION	"OpenSSH_8.7"
-- 
---#define SSH_PORTABLE	"p1"
---#define SSH_RELEASE	SSH_VERSION SSH_PORTABLE
--+#define SSH_RELEASE	PACKAGE_STRING ", " SSH_VERSION "p1"
- diff -ruN openssh-8.7p1/version.m4 openssh-8.7p1+x509-13.2/version.m4
- --- openssh-8.7p1/version.m4	1970-01-01 02:00:00.000000000 +0200
- +++ openssh-8.7p1+x509-13.2/version.m4	2021-08-30 20:07:00.000000000 +0300
diff --git a/net-misc/openssh/files/openssh-8.8_p1-X509-glue-13.2.3.patch b/net-misc/openssh/files/openssh-8.8_p1-X509-glue-13.2.3.patch
new file mode 100644
index 0000000000..b6827623cd
--- /dev/null
+++ b/net-misc/openssh/files/openssh-8.8_p1-X509-glue-13.2.3.patch
@@ -0,0 +1,63 @@
+diff -ur '--exclude=.*.un~' a/openssh-8.8p1+x509-13.2.3.diff b/openssh-8.8p1+x509-13.2.3.diff
+--- a/openssh-8.8p1+x509-13.2.3.diff	2021-10-29 14:59:17.070546984 -0700
++++ b/openssh-8.8p1+x509-13.2.3.diff	2021-10-29 14:59:55.086664489 -0700
+@@ -954,15 +954,16 @@
+  	char b[512];
+ -	size_t len = ssh_digest_bytes(SSH_DIGEST_SHA512);
+ -	u_char *hash = xmalloc(len);
++-	double delay;
+ +	int digest_alg;
+ +	size_t len;
+ +	u_char *hash;
+- 	double delay;
+- 
+++	double delay = 0;
+++
+ +	digest_alg = ssh_digest_maxbytes();
+ +	len = ssh_digest_bytes(digest_alg);
+ +	hash = xmalloc(len);
+-+
++
+  	(void)snprintf(b, sizeof b, "%llu%s",
+  	    (unsigned long long)options.timing_secret, user);
+ -	if (ssh_digest_memory(SSH_DIGEST_SHA512, b, strlen(b), hash, len) != 0)
+@@ -51859,12 +51860,11 @@
+  
+  install-files:
+  	$(MKDIR_P) $(DESTDIR)$(bindir)
+-@@ -391,6 +372,8 @@
++@@ -391,6 +372,7 @@
+  	$(MKDIR_P) $(DESTDIR)$(mandir)/$(mansubdir)5
+  	$(MKDIR_P) $(DESTDIR)$(mandir)/$(mansubdir)8
+  	$(MKDIR_P) $(DESTDIR)$(libexecdir)
+ +	$(MKDIR_P) $(DESTDIR)$(sshcadir)
+-+	$(MKDIR_P) $(DESTDIR)$(piddir)
+  	$(MKDIR_P) -m 0755 $(DESTDIR)$(PRIVSEP_PATH)
+  	$(INSTALL) -m 0755 $(STRIP_OPT) ssh$(EXEEXT) $(DESTDIR)$(bindir)/ssh$(EXEEXT)
+  	$(INSTALL) -m 0755 $(STRIP_OPT) scp$(EXEEXT) $(DESTDIR)$(bindir)/scp$(EXEEXT)
+@@ -71985,7 +71985,7 @@
+ +if test "$sshd_type" = "pkix" ; then
+ +  unset_arg=''
+ +else
+-+  unset_arg=none
+++  unset_arg=
+ +fi
+ +
+  cat > $OBJ/sshd_config.i << _EOF
+@@ -132360,16 +132360,6 @@
+ +int	 asnmprintf(char **, size_t, int *, const char *, ...)
+  	    __attribute__((format(printf, 4, 5)));
+  void	 msetlocale(void);
+-diff -ruN openssh-8.8p1/version.h openssh-8.8p1+x509-13.2.3/version.h
+---- openssh-8.8p1/version.h	2021-09-26 17:03:19.000000000 +0300
+-+++ openssh-8.8p1+x509-13.2.3/version.h	2021-10-23 16:27:00.000000000 +0300
+-@@ -2,5 +2,4 @@
+- 
+- #define SSH_VERSION	"OpenSSH_8.8"
+- 
+--#define SSH_PORTABLE	"p1"
+--#define SSH_RELEASE	SSH_VERSION SSH_PORTABLE
+-+#define SSH_RELEASE	PACKAGE_STRING ", " SSH_VERSION "p1"
+ diff -ruN openssh-8.8p1/version.m4 openssh-8.8p1+x509-13.2.3/version.m4
+ --- openssh-8.8p1/version.m4	1970-01-01 02:00:00.000000000 +0200
+ +++ openssh-8.8p1+x509-13.2.3/version.m4	2021-10-23 16:27:00.000000000 +0300
diff --git a/net-misc/openssh/metadata.xml b/net-misc/openssh/metadata.xml
index 9ce34e6107..58ff739e1d 100644
--- a/net-misc/openssh/metadata.xml
+++ b/net-misc/openssh/metadata.xml
@@ -1,5 +1,5 @@
 <?xml version="1.0" encoding="UTF-8"?>
-<!DOCTYPE pkgmetadata SYSTEM "http://www.gentoo.org/dtd/metadata.dtd">
+<!DOCTYPE pkgmetadata SYSTEM "https://www.gentoo.org/dtd/metadata.dtd">
 <pkgmetadata>
   <maintainer type="project">
     <email>base-system@gentoo.org</email>
diff --git a/net-misc/openssh/openssh-8.7_p1-r1.ebuild b/net-misc/openssh/openssh-8.8_p1-r3.ebuild
similarity index 94%
rename from net-misc/openssh/openssh-8.7_p1-r1.ebuild
rename to net-misc/openssh/openssh-8.8_p1-r3.ebuild
index 6f85969abe..49d9f7b6e1 100644
--- a/net-misc/openssh/openssh-8.7_p1-r1.ebuild
+++ b/net-misc/openssh/openssh-8.8_p1-r3.ebuild
@@ -1,6 +1,3 @@
-# Difference to upstream from ./update_ebuilds:
-# - Ported changes from 11d6f23704e7ab84191e28e034816bfdb151d406
-#
 # Copyright 1999-2021 Gentoo Authors
 # Distributed under the terms of the GNU General Public License v2
 
@@ -24,7 +21,7 @@ HPN_PATCHES=(
 )
 
 SCTP_VER="1.2" SCTP_PATCH="${PARCH}-sctp-${SCTP_VER}.patch.xz"
-X509_VER="13.2" X509_PATCH="${PARCH}+x509-${X509_VER}.diff.gz"
+X509_VER="13.2.3" X509_PATCH="${PARCH}+x509-${X509_VER}.diff.gz"
 
 DESCRIPTION="Port of OpenBSD's free SSH release"
 HOMEPAGE="https://www.openssh.com/"
@@ -39,7 +36,7 @@ LICENSE="BSD GPL-2"
 SLOT="0"
 KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~x64-cygwin ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris"
 # Probably want to drop ssl defaulting to on in a future version.
-IUSE="abi_mips_n32 audit bindist debug hpn kerberos kernel_linux ldns libedit livecd pam +pie +scp sctp security-key selinux +ssl static test X X509 xmss"
+IUSE="abi_mips_n32 audit debug hpn kerberos kernel_linux ldns libedit livecd pam +pie +scp sctp security-key selinux +ssl static test X X509 xmss"
 
 RESTRICT="!test? ( test )"
 
@@ -48,7 +45,7 @@ REQUIRED_USE="
 	ldns? ( ssl )
 	pie? ( !static )
 	static? ( !kerberos !pam )
-	X509? ( !sctp !security-key ssl !xmss )
+	X509? ( !sctp ssl !xmss )
 	xmss? ( ssl  )
 	test? ( ssl )
 "
@@ -60,23 +57,13 @@ LIB_DEPEND="
 	audit? ( sys-process/audit[static-libs(+)] )
 	ldns? (
 		net-libs/ldns[static-libs(+)]
-		!bindist? ( net-libs/ldns[ecdsa,ssl(+)] )
-		bindist? ( net-libs/ldns[-ecdsa,ssl(+)] )
+		net-libs/ldns[ecdsa,ssl(+)]
 	)
 	libedit? ( dev-libs/libedit:=[static-libs(+)] )
 	sctp? ( net-misc/lksctp-tools[static-libs(+)] )
 	security-key? ( >=dev-libs/libfido2-1.5.0:=[static-libs(+)] )
 	selinux? ( >=sys-libs/libselinux-1.28[static-libs(+)] )
-	ssl? (
-			|| (
-				(
-					>=dev-libs/openssl-1.0.1:0[bindist(-)=]
-					<dev-libs/openssl-1.1.0:0[bindist(-)=]
-				)
-				>=dev-libs/openssl-1.1.0g:0[bindist(-)=]
-			)
-			dev-libs/openssl:0=[static-libs(+)]
-	)
+	ssl? ( >=dev-libs/openssl-1.1.1l-r1:0=[static-libs(+)] )
 	virtual/libcrypt:=[static-libs(+)]
 	>=sys-libs/zlib-1.2.3:=[static-libs(+)]
 "
@@ -177,7 +164,7 @@ src_prepare() {
 			"${S}"/version.h || die "Failed to sed-in SCTP patch version"
 		PATCHSET_VERSION_MACROS+=( 'SSH_SCTP' )
 
-		einfo "Disabling know failing test (cfgparse) caused by SCTP patch ..."
+		einfo "Disabling known failing test (cfgparse) caused by SCTP patch ..."
 		sed -i \
 			-e "/\t\tcfgparse \\\/d" \
 			"${S}"/regress/Makefile || die "Failed to disable known failing test (cfgparse) caused by SCTP patch"
@@ -188,7 +175,7 @@ src_prepare() {
 		mkdir "${hpn_patchdir}" || die
 		cp $(printf -- "${DISTDIR}/%s\n" "${HPN_PATCHES[@]}") "${hpn_patchdir}" || die
 		pushd "${hpn_patchdir}" &>/dev/null || die
-		eapply "${FILESDIR}"/${P}-hpn-${HPN_VER}-glue.patch
+		eapply "${FILESDIR}"/${PN}-8.7_p1-hpn-${HPN_VER}-glue.patch
 		use X509 && eapply "${FILESDIR}"/${PN}-8.7_p1-hpn-${HPN_VER}-X509-glue.patch
 		use sctp && eapply "${FILESDIR}"/${PN}-8.5_p1-hpn-${HPN_VER}-sctp-glue.patch
 		popd &>/dev/null || die
@@ -321,11 +308,6 @@ src_configure() {
 	)
 
 	if use elibc_musl; then
-		# stackprotect is broken on musl x86 and ppc
-		if use x86 || use ppc; then
-			myconf+=( --without-stackprotect )
-		fi
-
 		# musl defines bogus values for UTMP_FILE and WTMP_FILE
 		# https://bugs.gentoo.org/753230
 		myconf+=( --disable-utmp --disable-wtmp )
diff --git a/profiles/coreos/base/package.accept_keywords b/profiles/coreos/base/package.accept_keywords
index 52119d2ca9..b16b2d15a1 100644
--- a/profiles/coreos/base/package.accept_keywords
+++ b/profiles/coreos/base/package.accept_keywords
@@ -31,7 +31,7 @@ dev-util/checkbashisms
 
 =net-libs/gnutls-3.7.1 ~amd64 ~arm64
 
-=net-misc/openssh-8.7_p1-r1 ~amd64 ~arm64
+=net-misc/openssh-8.8_p1-r3 ~amd64 ~arm64
 
 =net-misc/rsync-3.2.3-r5 ~amd64 ~arm64