OpenSSH is vulnerable to CRLF injection. It was discovered that the OpenSSH server did not sanitize data received in requests to enable X11 forwarding. An authenticated client with restricted SSH access could possibly use this flaw to bypass intended restrictions.
cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/session.c
cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/session.c.diff?r1=1.281&r2=1.282&f=h
lists.fedoraproject.org/pipermail/package-announce/2016-April/183101.html
lists.fedoraproject.org/pipermail/package-announce/2016-April/183122.html
lists.fedoraproject.org/pipermail/package-announce/2016-March/178838.html
lists.fedoraproject.org/pipermail/package-announce/2016-March/179924.html
lists.fedoraproject.org/pipermail/package-announce/2016-March/180491.html
lists.fedoraproject.org/pipermail/package-announce/2016-May/184264.html
packetstormsecurity.com/files/136234/OpenSSH-7.2p1-xauth-Command-Injection-Bypass.html
rhn.redhat.com/errata/RHSA-2016-0465.html
rhn.redhat.com/errata/RHSA-2016-0466.html
seclists.org/fulldisclosure/2016/Mar/46
seclists.org/fulldisclosure/2016/Mar/47
www.openssh.com/txt/x11fwd.adv
www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.html
www.oracle.com/technetwork/topics/security/linuxbulletinapr2016-2952096.html
www.oracle.com/technetwork/topics/security/ovmbulletinjul2016-3090546.html
www.securityfocus.com/bid/84314
www.securitytracker.com/id/1035249
access.redhat.com/security/updates/classification/#moderate
bto.bluecoat.com/security-advisory/sa121
github.com/tintinweb/pub/tree/master/pocs/cve-2016-3115
lists.debian.org/debian-lts-announce/2018/09/msg00010.html
rhn.redhat.com/errata/RHSA-2016-0466.html
security.gentoo.org/glsa/201612-18
www.exploit-db.com/exploits/39569/
www.freebsd.org/security/advisories/FreeBSD-SA-16:14.openssh.asc