darcs repository web UI and hosting app. This is the main darcsden trunk, which also runs hub.darcs.net. (https://hub.darcs.net)

#130ssh server authentication vulnerability

On 3/21 a software developer reported that the haskell ssh library used by darcs hub did not check for a valid signature on the public key during authentication. This means it was possible to authenticate as any other ssh user if you knew their public key. We believe the vulnerability is closed as of 3/25. It was announced to users on 4/15 and publicly on 4/20; see this blog post for more details.