From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 80079 invoked by alias); 10 Feb 2016 10:40:38 -0000 Mailing-List: contact cygwin-apps-help@cygwin.com; run by ezmlm Precedence: bulk Sender: cygwin-apps-owner@cygwin.com List-Id: List-Subscribe: List-Archive: List-Post: List-Help: , Mail-Followup-To: cygwin-apps@cygwin.com Received: (qmail 80041 invoked by uid 89); 10 Feb 2016 10:40:35 -0000 Authentication-Results: sourceware.org; auth=none X-Virus-Found: No X-Spam-SWARE-Status: No, score=-93.9 required=5.0 tests=BAYES_50,KAM_LAZY_DOMAIN_SECURITY,RCVD_IN_PBL,RDNS_DYNAMIC,USER_IN_WHITELIST autolearn=no version=3.3.2 spammy=collected, tony, Tony, SECURITY X-HELO: calimero.vinschen.de Received: from ipbcc0d020.dynamic.kabel-deutschland.de (HELO calimero.vinschen.de) (188.192.208.32) by sourceware.org (qpsmtpd/0.93/v0.84-503-g423c35a) with ESMTP; Wed, 10 Feb 2016 10:40:34 +0000 Received: by calimero.vinschen.de (Postfix, from userid 500) id EF013A80586; Wed, 10 Feb 2016 11:40:31 +0100 (CET) Date: Wed, 10 Feb 2016 10:40:00 -0000 From: Corinna Vinschen To: cygwin-apps@cygwin.com Subject: Re: [SECURITY] p7zip: CVE-2015-1038 Message-ID: <20160210104031.GA14689@calimero.vinschen.de> Reply-To: cygwin-apps@cygwin.com Mail-Followup-To: cygwin-apps@cygwin.com References: <56AB9A3F.3040808@cygwin.com> <20160208135409.GI27646@calimero.vinschen.de> <20160209104055.GB20838@calimero.vinschen.de> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="k+w/mQv8wyuph6w0" Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.24 (2015-08-30) X-SW-Source: 2016-02/txt/msg00025.txt.bz2 --k+w/mQv8wyuph6w0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Content-length: 885 On Feb 9 14:48, Tony Kelman wrote: > >> I don't have anything for sourceware or cygwin.com in > >> ~/.ssh/known_hosts, should I? > > > > In theory, yes. It's usually collected the first time you connect to > > the host. The idea is to have a known key to compare the host against > > to disallow MITM attacks. >=20 > Hm okay, what's the best way to get this fixed then? Generate new > ssh keys? Or someone else can NMU this since it's a security issue, > my cygport including the new patch is at > https://github.com/tkelman/cygwin-p7zip I'm not sure in fact. The error you got was related to the host keys, not the user keys. Changing the keys would probably not help, though we can try that, of course. What means "NMU"? Corinna --=20 Corinna Vinschen Please, send mails regarding Cygwin to Cygwin Maintainer cygwin AT cygwin DOT com Red Hat --k+w/mQv8wyuph6w0 Content-Type: application/pgp-signature; name="signature.asc" Content-length: 819 -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIcBAEBCAAGBQJWuxOfAAoJEPU2Bp2uRE+gvSsP/2n4Hv0jzu52zMvfpjMO8QZk 8HWPRq1PgjiDwZMYm1C0EP1M2JuAwCc1x7meGpw4/zULAF5NT6U3wOLn/IWYe1U8 Yp3TTrY4j7BqKsiQ0nAgar5CoWxG040y6KBhSvCTsLgfnvfbFPlxDZmrwWbmGrLK C/xm7rdoRvNUajywqcmcEkFRfeeACLRRnP1l9wcZ230k6o95yb330w0bofKDeS3C wXw6fzooWhP6iBMkhI0zKIJ4GIaEXiOvtTMhFy5FQW2j4g7xCRxvIddRmezyBrc7 CjIOh5SdZviMrtpUoEO76cRsMxhiijjB7S1iWZUGMiMmHxj8Twj0aXlhs6mNyumn nx9lhi20SaybRaBSuRZ5iNETXURN1PKO+8aoRBMAg9vBH7/KjZK5d67edrKaGpn+ utVulNPjR9AqUK+yCb7pIfNh3o6h8no2jVnfCBEsWUQATIhMdg50z2+MkZOMOCCE TDtbgdXtc4O1fol4BZEqrF0/azdKE7PkEllre2B/fUVXBpRgujvqhZits0m+bXBM s3DcIC6JKgt3Z8hfzaG7I+PgHc52HwBHfh7gcJB8Gp1wy2LcXTx+N+LpErnhwXWV Xp0Ya/y+eB/y99PAePPLn/rL8hlkw53dcwvOwntYq3EfhaEd/DGnNtQJGtz3B8JX +hBptvUcwnCcl8ZSZY7Z =jfom -----END PGP SIGNATURE----- --k+w/mQv8wyuph6w0--