One interesting fact about padding oracle attacks (the family of attacks to which poodle belongs) is that they only work on CBC-mode block ciphers. CTR-mode, an alternative mode of operation that essentially changes a block cipher to a stream cipher, cannot be vulnerable to this kind of attack (and has the added benefit of being easily parallelizable), but has suffered from a lack of adaption due to some misunderstandings. As @journeysquid noted, OpenSSH has now actually disabled CBC ciphers in general, which is probably a good idea.
Note: You probably shouldn’t actually use CTR mode for anything, is it doesn’t provide authentication, but in a situation where you’re choosing between CTR and CBC, choose CTR
With regard to the changelog, saying CBC ciphers are unsafe is pretty misleading. CBC implemented properly is rock-solid (against a certain subset of attacks with for a certain definition of rock-solid that does include an epsilon term for attacker advantage). It’s just slower and easy to mess up in certain ways (although CTR and CTR-based modes in general are far from foolproof, for instance, reusing a nonce compromising the whole plaintext, instead of just metadata)
Related:
http://www.imperialviolet.org/2014/10/14/poodle.html
http://blog.cryptographyengineering.com/2014/10/attack-of-week-poodle.html
One interesting fact about padding oracle attacks (the family of attacks to which poodle belongs) is that they only work on CBC-mode block ciphers. CTR-mode, an alternative mode of operation that essentially changes a block cipher to a stream cipher, cannot be vulnerable to this kind of attack (and has the added benefit of being easily parallelizable), but has suffered from a lack of adaption due to some misunderstandings. As @journeysquid noted, OpenSSH has now actually disabled CBC ciphers in general, which is probably a good idea.
Note: You probably shouldn’t actually use CTR mode for anything, is it doesn’t provide authentication, but in a situation where you’re choosing between CTR and CBC, choose CTR
I noticed OpenSSH 6.7 has also disabled CBC ciphers (http://www.openbsd.org/56.html), is that just coincidence?
CBC is a poor fit for wire protocols like this; it was part of the problem for many previous issues and seems likely to recur.
With regard to the changelog, saying CBC ciphers are unsafe is pretty misleading. CBC implemented properly is rock-solid (against a certain subset of attacks with for a certain definition of rock-solid that does include an epsilon term for attacker advantage). It’s just slower and easy to mess up in certain ways (although CTR and CTR-based modes in general are far from foolproof, for instance, reusing a nonce compromising the whole plaintext, instead of just metadata)