Managed customers of Mythic Beasts with libssh installed will have just received a notification that we updated it without warning or testing.
This is obviously bad practice, so what were we thinking?
A security advisory for libssh has just come out which is very bad. To paraphrase,
libssh -> hello new user user -> can I have a root shell libssh -> can you authenticate? user -> yes but I'm not going to libssh -> okay, have a root shell
This is completely secure, unless the client is prepared to lie in order to exploit your system. In the late 1990s some of our founders might have once exploited an online quiz in exactly the same way to get perfect scores. Don’t trust the client.
In our risk analysis, the risk of breakage to a customer site though a botched patch is vastly lower than giving an attacker a root shell, which is why we pushed an emergency update within a few hours of updated packages being available.
If this is the first you’ve heard about the issue, we suggest you’d benefit from our Managed Services