We recently learned of a serious undocumented vulnerability in the ssh package. This is a minimal ssh server implementation used by darcsden to support darcs push/pull. If you use the ssh package, or you have darcsden’s darcsden-ssh server running, you should upgrade to/rebuild with the imminent ssh-0.3 release right away. Or if you know of someone like that, please let them know. Also, if you're interested in cryptography/security, additional help and patches for the ssh and darcsden packages would be very welcome.

I've blogged more details at http://joyful.com/blog/2015-04-20-ssh-darcs-hub-vulnerability.html (if you're a Darcs Hub user, hopefully you've already seen it).

Best - Simon