http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=sshI wouldn't rely on your distribution's provider to keep you up to date on security patches, etc. Also, it's very easy to subscribe to the OpenSSH announce e-mail list and you'll only get mail when there's a new release. I'm on the Nessus, OpenSSL, OpenSSH, and qmail announce lists and I probably don't get more than ten e-mails per year.
I visit www.osdn.com every day so I see most of the major security bulletins. www.securityfocus.com isn't a bad site either. If you want security, don't expect to be spoon-fed by someone else. The burden is on *you* to keep up to date.
