HP Security Bulletin - A potential security vulnerability has been identified in the SFTP Server (sftp-server) component of SSH version 3.2.0 and earlier running on HP Tru64 UNIX. The vulnerability could be exploited by a remote user to execute arbitrary code or cause a Denial of Service (DoS). Yes, this is from 2006. Yes, HP is just notifying people now.
97b55c3fc497bd98e96bbfccb72fb18e043e763c3dc094e105a84a146f8bc9bb
Gentoo Linux Security Advisory GLSA 200703-13 - The SSH Secure Shell Server contains a format string vulnerability in the SFTP code that handles file transfers (scp2 and sftp2). In some situations, this code passes the accessed filename to the system log. During this operation, an unspecified error could allow uncontrolled stack access. Versions less than 4.3.7 are affected.
c4615e96c164e0879eb0a971554bc41b7614d6a6e8528e0f7bfdbd66c1a3366e