* [SECURITY] lftp
@ 2015-03-18 22:15 Yaakov Selkowitz
2015-03-23 7:15 ` Andrew Schulman
0 siblings, 1 reply; 3+ messages in thread
From: Yaakov Selkowitz @ 2015-03-18 22:15 UTC (permalink / raw)
To: cygwin-apps
Andrew,
A security issue has been noted with lftp:
https://bugzilla.redhat.com/show_bug.cgi?id=1180209
This is the patch for 4.6.1:
http://pkgs.fedoraproject.org/cgit/lftp.git/plain/lftp-4.6.1-auto-confirm.patch
TIA,
Yaakov
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [SECURITY] lftp
2015-03-18 22:15 [SECURITY] lftp Yaakov Selkowitz
@ 2015-03-23 7:15 ` Andrew Schulman
2015-03-23 8:09 ` Andrew Schulman
0 siblings, 1 reply; 3+ messages in thread
From: Andrew Schulman @ 2015-03-23 7:15 UTC (permalink / raw)
To: cygwin-apps
> A security issue has been noted with lftp:
>
> https://bugzilla.redhat.com/show_bug.cgi?id=1180209
>
> This is the patch for 4.6.1:
>
> http://pkgs.fedoraproject.org/cgit/lftp.git/plain/lftp-4.6.1-auto-confirm.patch
Thanks, I wasn't aware of that. New release coming out shortly.
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [SECURITY] lftp
2015-03-23 7:15 ` Andrew Schulman
@ 2015-03-23 8:09 ` Andrew Schulman
0 siblings, 0 replies; 3+ messages in thread
From: Andrew Schulman @ 2015-03-23 8:09 UTC (permalink / raw)
To: cygwin-apps
> > A security issue has been noted with lftp:
> >
> > https://bugzilla.redhat.com/show_bug.cgi?id=1180209
> >
> > This is the patch for 4.6.1:
> >
> > http://pkgs.fedoraproject.org/cgit/lftp.git/plain/lftp-4.6.1-auto-confirm.patch
>
> Thanks, I wasn't aware of that. New release coming out shortly.
lftp will now no longer automatically store the host key fingerprints of
unverified ssh servers. That's good, but it means that "cygport up" will now
fail (probably mysteriously) for maintainers who are connecting by ssh/sftp to
cygwin.com for the first time. New maintainers will need to connect by regular
sftp to cygwin.com one time first, to store the host key fingerprint in
known_hosts. After that "cygport up" will work. The cygport documentation
should be updated to say this.
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2015-03-23 8:09 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2015-03-18 22:15 [SECURITY] lftp Yaakov Selkowitz
2015-03-23 7:15 ` Andrew Schulman
2015-03-23 8:09 ` Andrew Schulman
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).