After filing #808901 I realize the source of the patch for #808890 is elsewhere than I had originally stated: for the 0.6.x series for CVE-20150-3146 the patch is within upstream tarball libssh-0.6.5.tar.xz:
libssh-0.6.5/CVE-2015-3146-libssh-0.6.x.patch Link to tarball: https://red.libssh.org/attachments/download/121/libssh-0.6.5.tar.xz -- Chris -- Chris Knadle chris.kna...@coredump.us