darcs repository web UI and hosting app. This is the main darcsden trunk, which also runs hub.darcs.net. (https://hub.darcs.net)
#130ssh server authentication vulnerability
On 3/21 a software developer reported that the haskell ssh library used by darcs hub did not check for a valid signature on the public key during authentication. This means it was possible to authenticate as any other ssh user if you knew their public key. We believe the vulnerability is closed as of 3/25. It was announced to users on 4/15 and publicly on 4/20; see this blog post for more details.
- status set to closed
The plan in the post has been mostly executed; a darcsden minor release and revisions to old releases were made to require the newer ssh.
