what projects are built on libssh?
GitHub uses it but says they do so in a way that didn’t expose this vulnerability. There’s some discussion in an Ars Technica article that suggests using libssh in server mode (vs. the client-side library) is uncommon.
The sloppiness of this release is concerning.
the attacker could successfully authentciate without any credentials
#2 is pretty minor, but attention to detail should be a strong feature for maintainers of software like this.
I don’t see the ① issue? The download page is on www.libssh.org just like the news article, and that domain has a proper TLS cert. The only link to cryptomilk.org I can see is as an example keyserver for the GPG key whose fingerprint is given on the download page. And going there, that TLS cert looks right too. (Maybe it was fixed in the meantime?) In any case cryptomilk.org appears completely unrelated to www.libssh.org.
Am I missing something?
Evidently the issue was fixed :)