You have three options:
1) Patch existing source code:
If you have source installed for OpenSSH, you can apply this
patch and recompile.
This is an unlikely situation on Mac OS X.
2) Download, compile, and reinstall.
This is the simplest.
Download OpenSSH 3.7p1. Decompress, and make as usual (as you suggested).
3) Wait for Apple to issue an update.
If you're going to take this route, at least do the following:
If you're connected directly to the internet with your OS X box (no router or firewall), edit the file /etc/sshd_config and change the default port (so people who scan networks for ssh to exploit won't likely find you).
My file contains:
Which will make sshd only answer on port 9022.
So, shell to the host like this:
$ ssh -p9022 hostname
If you're behind a firewall, and have a bit of a network, just add a port like this:
And only route port 9022 externally. This way, you don't have to specify a port number when you're just ssh'ing around in your private network.
Of course, you'll have to restart sshd once you make a change to the config file. You can just toggle it off and on in the System Preferences if you like.