A vulnerability exists in all openssh versions 3.6x and earlier. There has been quite a bit of discussion about an exploit in the underground... Reportedly, at least one ISP has been compromised and had disallowed ssh into their servers until a fix was made available. The fixed version is at:
ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-3.7p1.tar.gz

From: "InfraGard"
Subject: [Infragard_secured] OpenSSH Vulnerability
Date: Tue, 16 Sep 2003 11:39:27 -0500

Dear Members,

This is intended to be a quick heads-up to InfraGard members.

There appears to be a major OpenSSH vulnerability that is quietly being exploited at some high-profile targets. OpenSSH 3.7p1 was released earlier this am. Linux appears to be particularly vulnerable; no clear information on others such as OpenBSD, nor other
versions/implementations of SSH.

Note that there are many implementations of SSH that run on many devices, including network appliance-class devices.

Until more information is available, system operators should patch your systems to OpenSSH >= 3.7p1 and check your firewalls allowing SSH only from trusted sources.

InfraGard Team