Tillman,
http://www.debian.org/security/2001/dsa-086 says that a patched ssh-nonfree package in potato has been made available.
I wouldn't run potato in production just because it takes too long for packages to make it there, whereas woody and sid don't have this problem.
I run several production servers with Debian sid (unstable) with no problems whatsoever. In Debian's context "unstable" means "changes a lot" and not "broken". If you are careful when apt-get-upgrading then you are fine.
I found that Debian unstable is more stable than most other distribution's stable releases.