<html><head><meta http-equiv="Content-Type" content="text/html charset=utf-8"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class=""><div class="">We recently learned of a serious undocumented vulnerability in the <a href="http://hackage.haskell.org/package/ssh" class="">ssh</a> package. This is a minimal ssh server implementation used by <a href="http://hackage.haskell.org/package/darcsden" class="">darcsden</a>
 to support darcs push/pull. If you use the ssh package, or you have 
darcsden’s darcsden-ssh server running, you should upgrade to/rebuild 
with the imminent ssh-0.3 release right away. Or if you know of someone 
like that, please let them know. Also, if you're interested in cryptography/security, additional help and patches for the ssh and darcsden packages would be very welcome.</div><div class=""><br class=""></div><div class="">I've blogged more details at <a href="http://joyful.com/blog/2015-04-20-ssh-darcs-hub-vulnerability.html" class="">http://joyful.com/blog/2015-04-20-ssh-darcs-hub-vulnerability.html</a> (if you're a Darcs Hub user, hopefully you've already seen it).</div><div class=""><br class=""></div><div class="">Best - Simon</div></body></html>