Patch now and consider regenerating your keys just in case
Malicious OpenSSH servers can silently steal people’s private SSH keys as they try to login, it emerged today.
This means criminals who compromise one server can secretly grab keys needed to log into other systems from a user’s computer – allowing crooks to jump from server to server.
The security cockup, present in the default configuration of OpenSSH, has been patched today, and all users and administrators are urged to update as soon as possible. ….The bug lies in versions 5.4 to 7.1 of the OpenSSH client, specifically in a little-known default-enabled feature called roaming that allows you to restart an SSH session after the connection has been interrupted. The roaming code contains an information sharing flaw (CVE-2016-0777) and a mildly harmless buffer overflow (CVE-2016-0778) blunder……The OpenSSH team has released version 7.1p2 that fixes the issue and software houses are scrambling to lock down this latest threat. The latest builds of FreeBSD and OpenBSD have already been patched, as have Debian, Ubuntu, and Red Hat Enterprise Linux.