OpenSSH – Information-leak vulnerability (CVE-2016-0777)
Vulnerability
Since version 5.4, the OpenSSH client supports an undocumented feature called roaming. If a connection to an SSH server breaks unexpectedly, and if the SSH server supports roaming as well, the client is able to reconnect to the server and resume the interrupted SSH session. The roaming feature is enabled by default in OpenSSH clients, even though no OpenSSH server version implements the roaming feature.
- RHEL / CentOS 4, 5 and 6 are not affected by this flow.
- If you are using RHEL 7 / CentOS 7 with OpenSSH 6.4 you need to update it to OpenSSH 6.6 latest as soon as possible.
