A memory exhaustion vulnerability was found in the key exchange process in openssh. An unauthenticated peer could repeat the KEXINIT and cause allocation of up to 384MB for each connection. Upstream patch: http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/kex.c?rev=1.127&content-type=text/x-cvsweb-markup References: http://seclists.org/oss-sec/2016/q4/185 Upstream does not consider this as a security issue.
Created openssh tracking bugs for this issue: Affects: fedora-all [bug 1387117]
*** This bug has been marked as a duplicate of bug 1384860 ***