A critical bug that can leak secret cryptographic keys has just just been fixed in OpenSSH, one of the more widely used implementations of the secure shell (SSH) protocol.
The vulnerability resides only in the version end users use to connect to servers and not in versions used by servers. A maliciously configured server could exploit it to obtain the contents of the connecting computer’s memory, including the private encryption key used for SSH connections. The bug is the result of code that enables an experimental roaming feature in OpenSSH versions 5.4 to 7.1
“The matching server code has never been shipped, but the client code was enabled by default and could be tricked by a malicious server into leaking client memory to the server, including private client user keys,” OpenSSH officials wrote in an advisory published Thursday. “The authentication of the server host key prevents exploitation by a man-in-the-middle, so this information leak is restricted to connections to malicious or compromised servers.”
The OpenSSH maintainers have released a patch that fixes this, so if you’re using OpenSSH, update. It’s always important to make sure you’re running the latest versions of the things you depend on, especially when security fixes are involved.
And if you haven’t done so already, please consider contributing to free software like this. Free, (as in freedom) is everyone’s responsibility, and even if you’re not a coder, you can still contribute. All of the security, server-side software, and the client-side software used to interact with the server, which is widely used is free software. In order for that to remain the case, the upkeep of said software/tools canot be left to “other people.” so if you haven’t done so already, consider giving something back to the communities whose software you freely use to get your work done, or daily tasks completed. Your contributions, whether in time and talent or monetary form, make a difference.