Update: that important patch appears to be OpenSSH 7.1p2, available now. "The OpenSSH client code between 5.4 and 7.1 contains experimential support for resuming SSH-connections (roaming). The matching server code has never been shipped, but the client code was enabled by default and could be tricked by a malicious server into leaking client memory to the server, including private client user keys." There are a few other security fixes there as well.
Update 2: see the Qualys advisory for vast amounts of detail.
Arch Linux has updated libxslt (denial of service).
Debian has updated isc-dhcp (denial of service).
Debian-LTS has updated claws-mail (code execution).
openSUSE has updated ffmpeg (Leap42.1: multiple vulnerabilities).
Slackware has updated dhcp (denial of service).
Subscribers can click below for the full story from this week's edition.
Fedora has updated kernel (F23: multiple vulnerabilities), lighttpd (F23; F22: denial of service), nghttp2 (F22: code execution), qemu (F23: multiple vulnerabilities), and wireshark (F23: multiple vulnerabilities).
Mageia has updated bugzilla (multiple vulnerabilities), claws-mail (code execution), mariadb (multiple vulnerabilities), openvpn (multiple vulnerabilities), python-rsa (signature forgery), and ruby (code execution).
Red Hat has updated kernel (RHEL6.6: two vulnerabilities).
Ubuntu has updated oxide-qt (15.10, 15.04, 14.04: multiple vulnerabilities).