Portable OpenSSH version 3.9p1 fixes the directory traversal part. However, the SUID/SGID bits are still not stripped. I'm not sure what to make of this; I feel this is wrong. The general tend to have archivers strip these permission bits on extraction suggests that scp should so as well, at least by default.