https://nvd.nist.gov/vuln/detail/CVE-2017-15906 - Has not been fixed in FreeBSD 11.x
Is there a special reason for this or was it forgotten?
These are the mentioned lines: https://svnweb.freebsd.org/base/releng/11.2/crypto/openssh/sftp-server.c?view=markup#l694
A fix is availible (and has been released with v7.6 - so FBSD 12 isn't vulnerable) - see:
or from OpenBSD:
See Also: http://lists.nycbug.org/pipermail/talk/2017-December/017442.html where eadler apparently looped secteam in
HEAD received the OpenSSH 7.6p1 update in base r333389 so stable/12 has it