A security vulnerability found in a widely-used open-source software has been described as "the most serious bug."
A major vulnerability has been found and fixed in OpenSSH, an open-source remote connectivity tool using the Secure Shell protocol. The flaw was the result of an "experimental" feature that allows users to resume connections
According to a mailing list disclosing the flaw, a malicious server can trick an affected client to leak client memory, including a client's private user keys.
The affected code is enabled by default in OpenSSH client versions 5.4 to 7.1. The matching server code was never shipped, the mailing list said.
The flaw doesn't have a catchy name like some other previous flaws, but disabling client-side roaming support fixes the issue.
The flaw, which is said to be years old, was found by Qualys' security advisory team.
Wolfgang Kandek, chief technology officer at Qualys, confirmed in an email that the company disclosed the bugs to the OpenSSH team on January 11, and commended the team for working "incredibly fast" to get a patch out three days later.
"Developers and admins are advised to regenerate and rotate keys to systems they touch, whether for hobby [or] weekend projects, or more sensitive servers -- including Github," he added.
Bottom line? Patch now, and patch fast.
Edited by JohnC_21, 14 January 2016 - 06:25 PM.