I did an apt-get upgrade, but the ssh packages wouldn't upgrade, failing with this error...
root@bna-fw1:~# apt-get upgrade
Reading package lists... Done
Building dependency tree... Done
The following packages have been kept back:
linux-image-server openssh-client openssh-server
I checked in the /etc/apt directories looking for some reason why it was held back to no avail.. Then I checked dpkg -l openssh-server but the package wasn't marked as held either. Then I gave up and googled it. As it turns out, upgrading ssh requires you to install the oops-sorry-we-made-ssh-unsecure-won't-happen-again package openssh-blacklist package and apt-get "upgrade" can't install a new package. This seems like an open manhole waiting to swallow any sysadmin that blindly trusts apt-get upgrade for updates..
The command to fix it and upgrade openssh-server/client is...
apt-get install openssh-blacklist