Updated OpenSSH packages are now available for Red Hat Linux 7, 7.1, and 7.2. These packages fix a vulnerability which exists when a server is configured with the "UseLogin" option.
When the "UseLogin" option is enabled in OpenSSH, a malicious user who authenticates using key-based authentication methods can influence the environment variables passed to the login process. This could allow the user to execute arbitrary code with superuser privileges. In Red Hat Linux the OpenSSH server has the "UseLogin" option disabled by default. Therefore, it is not vulnerable unless the system administrator has changed this setting. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2001-0872 to this issue.