Fixed in Hardy now; stable updates still remain (Kees acknowledged this bug on IRC).

openssh (1:4.7p1-1) unstable; urgency=low

  * New upstream release (closes: #453367).
    - CVE-2007-4752: Prevent ssh(1) from using a trusted X11 cookie if
      creation of an untrusted cookie fails; found and fixed by Jan Pechanec
      (closes: #444738).
    - sshd(8) in new installations defaults to SSH Protocol 2 only. Existing
      installations are unchanged.
    - The SSH channel window size has been increased, and both ssh(1)
      sshd(8) now send window updates more aggressively. These improves
      performance on high-BDP (Bandwidth Delay Product) networks.
    - ssh(1) and sshd(8) now preserve MAC contexts between packets, which
      saves 2 hash calls per packet and results in 12-16% speedup for
      arcfour256/hmac-md5.
    - A new MAC algorithm has been added, UMAC-64 (RFC4418) as
      "<email address hidden>". UMAC-64 has been measured to be approximately
      20% faster than HMAC-MD5.
    - Failure to establish a ssh(1) TunnelForward is now treated as a fatal
      error when the ExitOnForwardFailure option is set.
    - ssh(1) returns a sensible exit status if the control master goes away
      without passing the full exit status.
    - When using a ProxyCommand in ssh(1), set the outgoing hostname with
      gethostname(2), allowing hostbased authentication to work.
    - Make scp(1) skip FIFOs rather than hanging (closes: #246774).
    - Encode non-printing characters in scp(1) filenames. These could cause
      copies to be aborted with a "protocol error".
    - Handle SIGINT in sshd(8) privilege separation child process to ensure
      that wtmp and lastlog records are correctly updated.
    - Report GSSAPI mechanism in errors, for libraries that support multiple
      mechanisms.
    - Improve documentation for ssh-add(1)'s -d option.
    - Rearrange and tidy GSSAPI code, removing server-only code being linked
      into the client.
    - Delay execution of ssh(1)'s LocalCommand until after all forwardings
      have been established.
    - In scp(1), do not truncate non-regular files.
    - Improve exit message from ControlMaster clients.
    - Prevent sftp-server(8) from reading until it runs out of buffer space,
      whereupon it would exit with a fatal error (closes: #365541).
    - pam_end() was not being called if authentication failed
      (closes: #405041).
    - Manual page datestamps updated (closes: #433181).
  * Install the OpenSSH FAQ in /usr/share/doc/openssh-client.
    - Includes documentation on copying files with colons using scp
      (closes: #303453).
  * Create /var/run/sshd on start even if /etc/ssh/sshd_not_to_be_run exists
    (closes: #453285).
  * Fix "overriden" typo in ssh(1) (thanks, A. Costa; closes: #390699).
  * Refactor debian/rules configure and make invocations to make development
    easier.
  * Remove the hideously old /etc/ssh/primes on upgrade (closes: #123013).
  * Update moduli(5) to revision 1.11 from OpenBSD CVS.
  * Document the non-default options we set as standard in ssh_config(5) and
    sshd_config(5) (closes: #327886, #345628).
  * Recode LICENCE to UTF-8 when concatenating it to debian/copyright.
  * Override desktop-file-but-no-dh_desktop-call lintian warning; the
    .desktop file is intentionally not installed (see 1:3.8.1p1-10).
  * Update copyright dates for Kerberos patch in debian/copyright.head.
  * Policy version 3.7.3: no changes required.

 -- Colin Watson <email address hidden>  Mon, 24 Dec 2007 16:43:02 +0000