We recently learned of a serious undocumented vulnerability in the ssh
<http://hackage.haskell.org/package/ssh> package. This is a minimal ssh server
implementation used by darcsden <http://hackage.haskell.org/package/darcsden>
to support darcs push/pull. If you use the ssh package, or you have darcsden’s
darcsden-ssh server running, you should upgrade to/rebuild with the imminent
ssh-0.3 release right away. Or if you know of someone like that, please let
them know. Also, if you're interested in cryptography/security, additional help
and patches for the ssh and darcsden packages would be very welcome.
I've blogged more details at
http://joyful.com/blog/2015-04-20-ssh-darcs-hub-vulnerability.html
<http://joyful.com/blog/2015-04-20-ssh-darcs-hub-vulnerability.html> (if you're
a Darcs Hub user, hopefully you've already seen it).
Best - Simon
_______________________________________________
Haskell mailing list
Haskell@haskell.org
http://mail.haskell.org/cgi-bin/mailman/listinfo/haskell