https://bugzilla.redhat.com/show_bug.cgi?id=1406286 It was found that there is a theoretical leak of host private key material to privilege-separated child processes via realloc() when reading keys. No such leak was observed in practice for normal-sized keys, nor does a leak to the child processes directly expose key material to unprivileged users. CVE assignment: http://seclists.org/oss-sec/2016/q4/708 External References: https://www.openssh.com/txt/release-7.4 Upstream patch: http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/authfile.c.diff?r1=1.121&r2=1.122 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-10011
