OpenSSH released version 7.0 this week, along with four security fixes and various new features, focusing the newest release on deprecating “weak, legacy and/or unsafe cryptography,” OpenSSH wrote in its release notes.
Among the patched bugs is a user-after-free vulnerability related to PAM support, which could have allowed attackers to compromise the pre-authentication process for remote code execution. Another patched bug could have allowed local attackers to write arbitrary messages to logged-in users, including terminal escape sequences.
The open source protocol also mentioned its future 7.1 release. In it, the release notes stated, some legacy cryptography will be retired. It will refuse all RSA keys smaller than 1024 bits and disable certain ciphers by default. MD5-based HMAC algorithms will also be phased out.