This is the mail archive of the
cygwin-apps
mailing list for the Cygwin project.
Re: [SECURITY] lftp
- From: Andrew Schulman <schulman dot andrew at epa dot gov>
- To: cygwin-apps at cygwin dot com
- Date: Mon, 23 Mar 2015 04:09:30 -0400
- Subject: Re: [SECURITY] lftp
- Authentication-results: sourceware.org; auth=none
- References: <1426716906 dot 12464 dot 70 dot camel at cygwin dot com> <1426716906 dot 12464 dot 70 dot camel-rDBXBDvO6BXQT0dZR+AlfA at public dot gmane dot org> <j4evgateud2gia0e5sd1p42rfrvk63pjn2 at 4ax dot com>
> > A security issue has been noted with lftp:
> >
> > https://bugzilla.redhat.com/show_bug.cgi?id=1180209
> >
> > This is the patch for 4.6.1:
> >
> > http://pkgs.fedoraproject.org/cgit/lftp.git/plain/lftp-4.6.1-auto-confirm.patch
>
> Thanks, I wasn't aware of that. New release coming out shortly.
lftp will now no longer automatically store the host key fingerprints of
unverified ssh servers. That's good, but it means that "cygport up" will now
fail (probably mysteriously) for maintainers who are connecting by ssh/sftp to
cygwin.com for the first time. New maintainers will need to connect by regular
sftp to cygwin.com one time first, to store the host key fingerprint in
known_hosts. After that "cygport up" will work. The cygport documentation
should be updated to say this.