Multiple vulnerabilities are found in OpenSSH. A remote authenticated server could obtain potentially sensitive information from OpenSSH client memory or potentially execute arbitrary code on the target client system. An OpenSSH client connecting to a malicious OpenSSH server may have its private client user keys compromised or arbitrary codes executed.
> OpenSSH versions 5.4 through 7.1p1
Systems such as Linux or network equipment using OpenSSH for remote access may also be affected.
Successful exploitation could lead to man-in-the-middle attack or compromise of a vulnerable system.
Related vulnerabilities are fixed in OpenSSH 7.1p2. Users with systems such as Linux or network equipment using OpenSSH for remote access should check with their product vendors if the vulnerable OpenSSH versions are used and if so, upgrade to the fixed versions or follow the recommendations provided by the product vendors to mitigate the risk. As a good general practice, privileged accounts such as administrator should regularly change the password and the private client user key should be re-generated if it is suspected compromised.
http://www.openssh.com/txt/release-7.1p2
https://www.us-cert.gov/ncas/current-activity/2016/01/14/OpenSSH-Client-Vulnerability
https://www.hkcert.org/my_url/en/alert/16011501
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0777 (to CVE-2016-0778)