Quoting William Allen Simpson (wsimpson@greendragon.com):
> William Allen Simpson wrote:
> > 
> > "Wolfgang S. Rupprecht" wrote:
> > > The /usr/pkgsrc tree also installs the current 3.7.1 version.  Hats
> > > off the guys that got this out the door so quickly.  (I was about to
> > > patch my local copy of openssh's buffer.c when I noticed that anon-cvs
> > > was already updated.)
> 
> Well, as far as I can tell, it *IS* *NOT* 3.7.1, it is 3.7p1, but the 
> latest is supposed to be 3.7.1p1.  Serious naming confusion!!!

3.7 came out this morning (PST) - buffer.c changes.
Fixes the CERT problem.

3.7.1, AFAIK, just fixes some other things for which
exploits may or may not exist - just related or similar
logic-os (like typos) in the code.

No reason to use 3.7 if you can get 3.7.1.
But you can live with 3.7 for a bit if you've got it.

That's my understanding of the situation.