• Here's the CERT alert: ​https://www.us-cert.gov/ncas/current-activity/2016...
  
• Here you can find more information on the problem: https://www.kb.cert.org/vuls/id/456088
  
• Here are the full release notes from the patch from OpenSSH: http://www.openssh.com/txt/release-7.1p2

Analysts say this about the bug ...

"​The OpenSSH client code between 5.4 and 7.1 contains experimental support for resuming SSH-connections (roaming).

The matching server code has never been shipped, but the client code was enabled by default and could be tricked by a malicious server into leaking client memory to the server, including private client user keys.

The authentication of the server host key prevents exploitation by a man-in-the-middle, so this information leak is restricted to connections to malicious or compromised servers."

​

​