Posted on 01/14/2016 7:03:07 PM PST by Utilizer
OpenSSH developers have patched a serious flaw in the popular open source remote access protocol that could compromise encryption keys, with users urged to upgrade their OpenSSH installations straight away.
According to the advisory, the vulnerability has been blamed on an experimental roaming feature, aimed at resuming SSH connections, in OpenSSH versions 5.4 to 7.1.
Attackers who control servers could use the vulnerability to discover a client's private encryption keys, the OpenSSH developers said.
"The matching server code has never been shipped, but the client code was enabled by default and could be tricked by a malicious server into leaking client memory to the server, including private client user keys.
"The authentication of the server host key prevents exploitation by a man-in-the-middle, so this information leak is restricted to connections to malicious or compromised servers," the advisory said.
(Excerpt) Read more at itnews.com.au ...
Oy. This is one for the day job...
Good luck with that, mate. :)
Cheers!
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.