This has been widely publicised - I found it on the Github Blog but you should also see the official Debian announcement.
This is how I updated my Hardy slices:
sudo aptitude update
sudo aptitude install openssh-client openssh-server
Trying to do a aptitude safe-upgrade told me that the openssh-client and openssh-server packages were going to be kept back for some reason so I fell back to explicitly upgrading. Say yes to the first solution that aptitude presents. A blue screen will eventually appear warning you that the machine keys are about to be upgraded. Say "OK". WARNING - this means the thumbprints in your known_hosts file or equivalent will not match which means your ssh client will warn you that the host may not be safe (or it may not let you connect at all IIRC).
Next you need to regenerate any user keys that you generated on your system. I did this as follows:
rm ~/.ssh/id_rsa*
ssh key-gen
Next run ssh-vulnkey. This will check all the keys in the usual locations - including those stored in your authorized_keys file. Any keys that come up as vulnerable need to be removed. Dud keys in authorized_keys probably indicate that there is a system that you use to connect to that box that needs to be patched and its keys upgraded.
Please note, this may not be the best or most efficient way of sorting out this problem, it's just the way that worked for me.
