The problem affects OpenSSH versions 5.4 through 7.1. Version 5.4 dates back to 2010, so the problem has lingered for years, unnoticed (or, at least, undisclosed by anyone who did notice).
It stems from an experiment that lets users resume an interrupted connection. The server side of this experiment was never shipped, but the client side remained. That’s the chunk of code that turns out to be exploitable — and it’s turned on by default.
The vulnerabilities have been assigned the formal names of CVE-2016-0777 and CVE-2016-0778.