“The matching server code has never been shipped, but the client code was enabled by default and could be tricked by a malicious server into leaking client memory to the server, including private client user keys.”
So what does this all mean? Simply speaking, this means a malicious or compromised server could potentially retrieve the users private SSH keys from memory. The stolen keys could then be used to authenticate against servers.
(2FA helps to protect servers from the use of stolen keys, however this is not in as widespread use as it should be.)
The short summary is in lieu of an update to the software, you can use the following mitigation options to protect yourself:
Today we’re celebrating Percona’s 7th anniversary. A lot has changed in these past 7 years – we have grown from a two-person outfit focused exclusively on consulting to a 100-person company with teammates in 22 different countries and 18 different states, now providing Support, Consulting, RemoteDBA, Server Development and Training services.
We also made our mark in open source software development, creating some of the most popular products for the MySQL ecosystem – Percona Toolkit, Percona Xtrabackup, Percona XtraDB Cluster, Percona Server and others. Additionally, we’re into our second year of hosting the Percona Live conference series for the MySQL community. We have grown to serve over 2,000 customers and I’m proud to say we could do it all in bootstrap mode without attracting outside investors and keeping the company owned by its employees.
So how are we celebrating our anniversary? We decided to celebrate by supporting the open source ecosystem, making donations to a number of open source initiatives that have helped us through all these years. We would not be here without you!
As such we’re supporting:
MariaDB Foundation for supporting MariaDB, one of the MySQL alternatives that we fully support at Percona.
Linux Foundation for supporting Linux, by far the most popular platform among our customers.
Debian for creating a foundation for some of the most popular Linux distributions out there.
Jenkins for the Continuous Integration server we use for our development projects.
OpenSSH for software that helps us to access customer systems securely.
Drupal for powering our website as well as the websites of many of our customers.
We’re happy to enjoy the growth that’s allowing us to support other projects in our ecosystem. If you have the chance I encourage you do the same. There is a tremendous amount of work going into open source software, which is made free to use, but it is by far not free to create and maintain.