The OpenBSD project issued earlier a press release informing everyone about a critical security vulnerability discovered recently in the OpenSSH versions 5.4 to 7.1, which could allow an attacker to steal sensitive data, including private user keys. The security issue has now been patched in OpenSSH 7.1p2, which is now available for download.
“It was discovered that the OpenSSH client experimental support for resuming connections contained multiple security issues. A malicious server could use this issue to leak client memory to the server, including private client user keys,” say the developers in today’s Ubuntu Security Notice USN-2869-1.
The security issue affects all the supported releases of the Ubuntu Linux operating system, as well as its derivatives, including Ubuntu 15.10 (Wily Werewolf), Ubuntu 15.04 (Vivid Vervet), Ubuntu 14.04 LTS (Trusty Tahr), and Ubuntu 12.04 LTS (Precise Pangolin). Canonical was quick to update the OpenSSH packages in all these OSes on the same day.
Therefore, if you’re running one of the above mentioned operating systems or any other derivative based on them, you are urged to update the OpenSSH packages as soon as possible to openssh-client 6.9p1-2ubuntu0.1 in Ubuntu 15.10, openssh-client 6.7p1-5ubuntu1.4 in Ubuntu 15.04, openssh-client 6.6p1-2ubuntu2.4 in Ubuntu 14.04 LTS, and openssh-client 5.9p1-5ubuntu1.8 in Ubuntu 12.04 LTS.
Update: Canonical also released a few minutes ago, at 5:00 AM, Friday, January 15, 2016, the OpenSSH 7.1p2 update for the Ubuntu 16.04 LTS (Xenial Xerus) operating system, which is currently in development.