This is the mail archive of the
cygwin-apps
mailing list for the Cygwin project.
RE: [SECURITY] p7zip: CVE-2015-1038
- From: Tony Kelman <tony at kelman dot net>
- To: "cygwin-apps at cygwin dot com" <cygwin-apps at cygwin dot com>
- Date: Tue, 9 Feb 2016 14:48:13 -0800
- Subject: RE: [SECURITY] p7zip: CVE-2015-1038
- Authentication-results: sourceware.org; auth=none
- References: <56AB9A3F dot 3040808 at cygwin dot com> <BAY169-W135C2459F190107A746FE76A7DB0 at phx dot gbl> <BAY169-W401D7F793D3E837DBF61F5A7DC0 at phx dot gbl> <BAY169-W408B5913ECB16EC67C8CD4A7DC0 at phx dot gbl> <20160208135409 dot GI27646 at calimero dot vinschen dot de> <BAY169-W61D70AFE36EB965B52B599A7D60 at phx dot gbl>,<20160209104055 dot GB20838 at calimero dot vinschen dot de>
>> I don't have anything for sourceware or cygwin.com in
>> ~/.ssh/known_hosts, should I?
>
> In theory, yes. It's usually collected the first time you connect to
> the host. The idea is to have a known key to compare the host against
> to disallow MITM attacks.
Hm okay, what's the best way to get this fixed then? Generate new
ssh keys? Or someone else can NMU this since it's a security issue,
my cygport including the new patch is at https://github.com/tkelman/cygwin-p7zip
-Tony