bump ssh dep to fix vuln

[twmb]

https://groups.google.com/forum/#!topic/golang-dev/bhd3Qn9_Q1k

Via go get -u, so includes one more day of commits rather than the exact commit referenced in the link.

[puellanivis]

The vulnerability seems to be unclear about when the issue was introduced, and just says the 20200220 commit version is vulnerable, and that is not the one we are using.

I’m not saying that we should not update the version, but it would be nice if security vulnerabilities always explained what versions are impacted.

[twmb]

This likely affects most backwards versions. Here's the fix commit.

I've pinned ssh where I need to an appropriate version, so I don't mind if this bump is not merged, but I recommend it be.

[puellanivis]

Yeah, go.mod intends that transitive dependencies should be updated regardless of what the middle-package says it requires. But this is still a good merge, considering the bug.

Best to not “recommend” a bad version.

[eikenb]

Thanks so much @twmb and @puellanivis for fixing this! I was AFK all week at a work function and didn't even see this until now. Really, I appreciate it so much.