OpenSSH client code versions 5.4 through 7.1p1 contains a client information leak vulnerability that could allow an OpenSSH client to leak information not limited to but including private keys, as well as a buffer overflow in certain non-default configurations.
CWE-200: Information Exposure - CVE-2016-0777
According to the OpenSSH release notes for version 7.1p2 :
For more information, please see Qualys's advisory. The CVSS score below is based on CVE-2016-0777.
A user that authenticates to a malicious or compromised server may reveal private data, including the user's private SSH key, or cause a buffer overflow that may lead to remote code execution in certain non-default configurations.
Apply an update
Disable the 'UseRoaming' Feature
This issue was previously coordinated and publicly disclosed by the Qualys Security Advisory Team.