OpenSSH Flaw Could Leak Crypto Keys


Qualys on Thursday reported a flaw in the OpenSSH client that could let a hacker steal the client’s private crypto keys. The bug is the result of an undocumented feature called “roaming” that exists in version 5.4, released March 8, 2010, and above. It’s one of two vulnerabilities that a malicious SSH server or a trusted but compromised server can exploit, Qualys said. The other is a heap-based buffer overflow. OpenSSH issued a fix for the information leak Thursday.

Leave a Reply

XHTML: You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>