[Haskell] ANN: ssh, darcsden vulnerability

Simon Michael simon at joyful.com
Mon Apr 20 23:35:49 UTC 2015


We recently learned of a serious undocumented vulnerability in the ssh <http://hackage.haskell.org/package/ssh> package. This is a minimal ssh server implementation used by darcsden <http://hackage.haskell.org/package/darcsden> to support darcs push/pull. If you use the ssh package, or you have darcsden’s darcsden-ssh server running, you should upgrade to/rebuild with the imminent ssh-0.3 release right away. Or if you know of someone like that, please let them know. Also, if you're interested in cryptography/security, additional help and patches for the ssh and darcsden packages would be very welcome.

I've blogged more details at http://joyful.com/blog/2015-04-20-ssh-darcs-hub-vulnerability.html <http://joyful.com/blog/2015-04-20-ssh-darcs-hub-vulnerability.html> (if you're a Darcs Hub user, hopefully you've already seen it).

Best - Simon
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.haskell.org/pipermail/haskell/attachments/20150420/51b55e65/attachment.html>


More information about the Haskell mailing list