From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 52617 invoked by alias); 9 Feb 2016 10:40:58 -0000 Mailing-List: contact cygwin-apps-help@cygwin.com; run by ezmlm Precedence: bulk Sender: cygwin-apps-owner@cygwin.com List-Id: List-Subscribe: List-Archive: List-Post: List-Help: , Mail-Followup-To: cygwin-apps@cygwin.com Received: (qmail 51654 invoked by uid 89); 9 Feb 2016 10:40:58 -0000 Authentication-Results: sourceware.org; auth=none X-Virus-Found: No X-Spam-SWARE-Status: No, score=-93.9 required=5.0 tests=BAYES_50,KAM_LAZY_DOMAIN_SECURITY,RCVD_IN_PBL,RDNS_DYNAMIC,USER_IN_WHITELIST autolearn=no version=3.3.2 spammy=tony, collected, Tony, SECURITY X-HELO: calimero.vinschen.de Received: from ipbcc0d020.dynamic.kabel-deutschland.de (HELO calimero.vinschen.de) (188.192.208.32) by sourceware.org (qpsmtpd/0.93/v0.84-503-g423c35a) with ESMTP; Tue, 09 Feb 2016 10:40:57 +0000 Received: by calimero.vinschen.de (Postfix, from userid 500) id 21ABBA8051D; Tue, 9 Feb 2016 11:40:55 +0100 (CET) Date: Tue, 09 Feb 2016 10:40:00 -0000 From: Corinna Vinschen To: cygwin-apps@cygwin.com Subject: Re: [SECURITY] p7zip: CVE-2015-1038 Message-ID: <20160209104055.GB20838@calimero.vinschen.de> Reply-To: cygwin-apps@cygwin.com Mail-Followup-To: cygwin-apps@cygwin.com References: <56AB9A3F.3040808@cygwin.com> <20160208135409.GI27646@calimero.vinschen.de> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="p4qYPpj5QlsIQJ0K" Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.24 (2015-08-30) X-SW-Source: 2016-02/txt/msg00015.txt.bz2 --p4qYPpj5QlsIQJ0K Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Content-length: 1020 On Feb 8 17:42, Tony Kelman wrote: > >> Tony@LAPTOP-O230JCFF ~/github/cygwin-p7zip > >> $ cygport p7zip-15.09-2.cygport upload > >>>>> Uploading p7zip-15.09-2.x86_64 > >>>>> Running lftp sftp://cygwin@cygwin.com > >> Password: > >> cd: Fatal error: Host key verification failed > > ^^^^^^^^^^^^^^^^^^^^^^^^^^^^ > > > > The host key you stored for sourceware isn't the right one for some > > reason. Remove it with ssh-keygen -R and check for correctness when > > you connect again, see the fingerprints at > > https://sourceware.org/cygwin-apps/package-upload.html >=20 > Thanks for the help Corinna. >=20 > I don't have anything for sourceware or cygwin.com in > ~/.ssh/known_hosts, should I? In theory, yes. It's usually collected the first time you connect to the host. The idea is to have a known key to compare the host against to disallow MITM attacks. Corinna --=20 Corinna Vinschen Please, send mails regarding Cygwin to Cygwin Maintainer cygwin AT cygwin DOT com Red Hat --p4qYPpj5QlsIQJ0K Content-Type: application/pgp-signature; name="signature.asc" Content-length: 819 -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIcBAEBCAAGBQJWucI2AAoJEPU2Bp2uRE+gcWUQAJYC1u2m80A0yv9+C52Sg7Dv YO8WENrZLQTrauVyV+muYu5CD9141v5nEmZwz2Kg7OKDct2TA0/8OEUTaxDvjKjx yk30+nwgxB2KNqQ2UkkaIZiGmZtrb43rnM/RHKf5L8utOWBfQ6ZykNrYrXUlpaiF brK3ru3x9Nc0kIKnY3jGCjfJuxEMfb9XbgZiMAGZc9botH9lNW+fpipyinqKUfMI rcv0DWVMPE5I6MAwlsGpVIstZ2Cl52ATw23/TRbIw7kDPL1/833ochLcjqX2SAP+ IUS5jBwHOSNG/JNjYKHAznIlemRvUk+eItXbJc8+CZ63h91l7iQkg9SJUkkfTV0I gE1LJZjNnGa14za3vVUyID6Q8PDK7ZyCjYnVVOKSwc4FTx+oq79/085Li3/LLY5U k2VwfdR5an12XBFS+3fkgn1/Dw8MUDh/fw3CqRU74VlIAXTgRGodotQnQFyoZGmf L1CRSh/FGQk06HezpAxcf0A6elqYgbuxSJF3E+JeGHtv4LJNLSaGXsNE956czq+z p6uaGIcMXxFznZ5nsS1e+xLlmcFs62fjC3JjDMmJskrXBTOvN6nxwDuld9sDahhx 1eADJj5LZE3lZ5Q9YhtJILwctdtllGdPRoHjkdj8y+qq4fXwHrgE57z1n+msuQZr DEhvbPfEMepeYXvqYiuk =wN7c -----END PGP SIGNATURE----- --p4qYPpj5QlsIQJ0K--