The bug, a simple off by one error, exists in all version of OpenSSH from OpenSSH versions 2.0 - 3.0.2 which covers quite a bit of time.
Users with an existing user account can abuse this bug to gain root privileges. Exploitability without an existing user account has not been proven but is not considered impossible. A malicious ssh server could also use this bug to exploit a connecting vulnerable client.
A fix is available at http://www.openssh.com
so you should stop reading this and go upgrade now.