OpenSSH 7.1p2 release notes mention the following security fix: * SECURITY: Fix an out of-bound read access in the packet handling code. Reported by Ben Hawkes. http://www.openssh.com/txt/release-7.1p2 Related upstream commit is: https://anongit.mindrot.org/openssh.git/commit/?id=d77148e3a3ef6c29b26ec74331455394581aa257
For the record, this bug was introduced by upstream commit in openssh-6.8: https://anongit.mindrot.org/openssh.git/commit/packet.c?id=091c302829210c41e7f57c3f094c7b9c054306f0 The function packet_disconnect() (terminating connection and exiting) was replaced by sshpkt_disconnect() which only sends disconnect message, but does not terminate the execution. This might lead to operation on the buffer of wrong size. This does not affect any released version of RHEL.
Created openssh tracking bugs for this issue: Affects: fedora-all [bug 1298840]
Created gsi-openssh tracking bugs for this issue: Affects: fedora-all [bug 1298841]
Only OpenSSH versions 6.8 - 7.1 were affected by this issue. Therefore, openssh packages in Red Hat Enterprise Linux 7 and earlier were not affected by this issue.
CVE-2016-1907 was assigned to this issue: http://seclists.org/oss-sec/2016/q1/112
openssh-6.9p1-10.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.
gsi-openssh-7.1p2-1.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.
gsi-openssh-6.9p1-7.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.