Ticket #4259 (closed defect: fixed)

Opened 3 years ago

Last modified 3 years ago

SFTPFS does not verify server fingerprint (CVE-2021-36370)

Reported by: andrew_b Owned by: andrew_b
Priority: major Milestone: 4.8.27
Component: mc-vfs Version: master
Keywords: Cc:
Blocked By: Blocking:
Branch state: merged Votes for changeset: committed-master

Description

Midnight Commander does not verify the ssh server fingerprint when a sftp connection is established.

In the source code, the fingerprint is caclulated, but the verification step is missing.

Change History

comment:1 Changed 3 years ago by andrew_b

  • Owner set to andrew_b
  • Status changed from new to accepted
  • Branch state changed from no branch to on review
  • Milestone changed from Future Releases to 4.8.27

Branch: 4259_sftp_verify_fingerprint
Initial changeset:e9621365cf2d561cf3379c9807583e18aa3a604c

comment:2 Changed 3 years ago by andrew_b

  • Votes for changeset set to andrew_b
  • Branch state changed from on review to approved

comment:3 Changed 3 years ago by andrew_b

  • Status changed from accepted to testing
  • Votes for changeset changed from andrew_b to committed-master
  • Resolution set to fixed
  • Branch state changed from approved to merged

Merged to master: [9e5535e2d91e7466d16167d857e329146af31961].

git log --pretty=oneline fa9ea0d61..9e5535e2d

comment:4 Changed 3 years ago by andrew_b

  • Status changed from testing to closed
  • Summary changed from SFTPFS does not verify server fingerprint to SFTPFS does not verify server fingerprint (CVE-2021-36370)
Note: See TracTickets for help on using tickets.