The OpenSSH project reports:
ssh-agent(1): Will now refuse to load PKCS#11 modules from
paths outside a trusted whitelist (run-time configurable).
Requests to load modules could be passed via agent forwarding
and an attacker could attempt to load a hostile PKCS#11 module
across the forwarded agent channel: PKCS#11 modules are shared
libraries, so this would result in code execution on the system
running the ssh-agent if the attacker has control of the
forwarded agent-socket (on the host running the sshd server)
and the ability to write to the filesystem of the host running
ssh-agent (usually the host running the ssh client).
(CVE-2016-10009)
sshd(8): When privilege separation is disabled, forwarded
Unix-domain sockets would be created by sshd(8) with the
privileges of ‘root’ instead of the authenticated user. This
release refuses Unix-domain socket forwarding when privilege
separation is disabled (Privilege separation has been enabled by
default for 14 years). CVE-2016-10010)