Signal handler race condition in OpenSSH before 4.4 allows remote attackers to cause a denial of service (crash), and possibly execute arbitrary code if GSSAPI authentication is enabled, via unspecified vectors that lead to a double-free.
https://exchange.xforce.ibmcloud.com/vulnerabilities/29254
http://www.us-cert.gov/cas/techalerts/TA07-072A.html
http://www.openbsd.org/errata.html#ssh
http://www.mandriva.com/security/advisories?name=MDKSA-2006:179
http://www.kb.cert.org/vuls/id/851340
http://www.debian.org/security/2006/dsa-1189
http://support.avaya.com/elmodocs2/security/ASA-2006-216.htm
http://security.gentoo.org/glsa/glsa-200611-06.xml
http://security.freebsd.org/advisories/FreeBSD-SA-06%3A22.openssh.asc
http://openssh.org/txt/release-4.4
http://marc.info/?l=openssh-unix-dev&m=115939141729160&w=2
http://lists.freebsd.org/pipermail/freebsd-security/2006-October/004051.html
http://lists.apple.com/archives/security-announce/2007/Mar/msg00002.html