From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 66179 invoked by alias); 9 Feb 2016 22:48:17 -0000 Mailing-List: contact cygwin-apps-help@cygwin.com; run by ezmlm Precedence: bulk Sender: cygwin-apps-owner@cygwin.com List-Id: List-Subscribe: List-Archive: List-Post: List-Help: , Mail-Followup-To: cygwin-apps@cygwin.com Received: (qmail 66083 invoked by uid 89); 9 Feb 2016 22:48:16 -0000 Authentication-Results: sourceware.org; auth=none X-Virus-Found: No X-Spam-SWARE-Status: No, score=2.8 required=5.0 tests=AWL,BAYES_60,KAM_LAZY_DOMAIN_SECURITY,RCVD_IN_DNSWL_LOW autolearn=no version=3.3.2 spammy=collected, H*RU:sk:BAY004-, Hx-spam-relays-external:sk:BAY004-, tony X-HELO: BAY004-OMC4S16.hotmail.com Received: from bay004-omc4s16.hotmail.com (HELO BAY004-OMC4S16.hotmail.com) (65.54.190.218) by sourceware.org (qpsmtpd/0.93/v0.84-503-g423c35a) with (AES256-SHA256 encrypted) ESMTPS; Tue, 09 Feb 2016 22:48:15 +0000 Received: from BAY169-W122 ([65.54.190.201]) by BAY004-OMC4S16.hotmail.com over TLS secured channel with Microsoft SMTPSVC(7.5.7601.23008); Tue, 9 Feb 2016 14:48:13 -0800 X-TMN: [i90kMJbncdtN+3wSVwVzga1e6OvP/UovCumAK7rvceg=] Message-ID: From: Tony Kelman To: "cygwin-apps@cygwin.com" Subject: RE: [SECURITY] p7zip: CVE-2015-1038 Date: Tue, 09 Feb 2016 22:48:00 -0000 In-Reply-To: <20160209104055.GB20838@calimero.vinschen.de> References: <56AB9A3F.3040808@cygwin.com> <20160208135409.GI27646@calimero.vinschen.de> ,<20160209104055.GB20838@calimero.vinschen.de> Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-IsSubscribed: yes X-SW-Source: 2016-02/txt/msg00022.txt.bz2 >> I don't have anything for sourceware or cygwin.com in >> ~/.ssh/known_hosts, should I? > > In theory, yes. It's usually collected the first time you connect to > the host. The idea is to have a known key to compare the host against > to disallow MITM attacks. Hm okay, what's the best way to get this fixed then? Generate new ssh keys? Or someone else can NMU this since it's a security issue, my cygport including the new patch is at https://github.com/tkelman/cygwin-= p7zip -Tony =20=09=09=20=09=20=20=20=09=09=20=20