OpenSSH 5.0 released

Actually, I didn't say there were 50+ patches.  What I said was that THIS patch has been
applied to 50+ different Red Hat openssh RPM versions, since it was first discovered in 2005.
I have no idea how many different patches Red Hat is carrying for openssh, although that would
be interesting to look at.

You're right, we don't know whether Red Hat tried to report this upstream, and was rebuffed,
or not.  However, there's no indication (in the bug report etc.) that such an attempt was
made.  I have also heard rumors that it can be difficult to get bugs reported upstream for
openssh, probably because of the odd way it is packaged where the developers maintain only the
OpenBSD port and other people are left to maintain all the other ports: in some cases it might
be tricky to convince the developers that the bug exists in the original OpenBSD version as
well.

Still, as I said, even without the security implications being reported it seems like this is
an obvious bug that they would have been interested to hear about.