In a discussion about the recent OpenSSL information disclosure vulnerability, the subject of OpenSSH being vulnerable came up. While OpenSSH is not vulnerable due to the problem lying in the TLS handshake, it opened discussion for the security of OpenSSH on FreeBSD.
Theo de Raadt had this to say:
... as long as you aren't using FreeBSD or a derivative (hint: Juniper), you are fine. That's the only place I know of an OpenSSH hole.
This coming from someone in his position is worrisome. I don't know if this is a stab at the FreeBSD project, or if he is privy to some inside exploit of the OpenSSH implementation on FreeBSD.
Since the person in question doesn't believe in public disclosure, I am wondering what steps people have taken to mitigate this possibly huge security flaw, if it exists at all.