Just point me to the thread if I missed a discussion...

Right now distfiles/vulnerabilities says ssh<1.2.31 is vulnerable.

The latest version in pkgsrc is 1.2.27nb1, whose patch-ac seems to
address the issue that the vulnerabilities file points to.

So... should security/ssh be marked BROKEN, or the entry in
vulnerabilties be removed, or... something else?

Currently the package is 'clean', but audit-packages reports it broken.
That's bad.

-- 
David Maxwell, david@vex.net|david@maxwell.net --> Unless you have a solution
when you tell them things like that, most people collapse into a gibbering, 
unthinking mass.  This is the same reason why you probably don't tell your 
boss about everything you read on BugTraq!    - Signal 11