The information leak is exploitable in the default configuration of the OpenSSH client, and (depending on the client’s version, compiler, and operating system) allows a malicious SSH server to steal the client’s private keys,” Qualys said in its advisory. “This information leak may have already been exploited in the wild by sophisticated attackers, and high-profile sites or users may need to regenerate their SSH keys accordingly.” There was a second vulnerability patched as well, a buffer overflow in the

Source: OpenSSH Private Crypto Key Leak Patch | Threatpost | The first stop for security news