OpenBSD erratum 011:
2016-03-10

Lack of credential sanitization allows injection of commands to xauth(1). Prevent this problem immediately by not using the "X11Forwarding" feature (which is disabled by default).

binpatch58-(amd64)-ssh-2.0.tgz