Bug 30107

Summary: mc new security issue CVE-2021-36370
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: andrewsfarm, davidwhodgins, hdetavernier, mageia, nicolas.salguero, sysadmin-bugs
Version: 8Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA8-64-OK
Source RPM: mc-4.8.26-1.mga8.src.rpm CVE: CVE-2021-36370
Status comment:

Description David Walser 2022-03-02 20:44:13 CET 
openSUSE has issued an advisory on March 1:
https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/5SJPZ2MSI7IPFCS5TFZZVXF4NN6XKYKJ/

The issue is fixed upstream in 4.8.27.
David Walser 2022-03-02 20:44:30 CET

Status comment: (none) => Fixed upstream in 4.8.27

Comment 1 Nicolas Salguero 2022-03-02 21:46:45 CET 
Suggested advisory:
========================

The updated package fixes a security vulnerability:

An issue was discovered in Midnight Commander through 4.8.26. When establishing an SFTP connection, the fingerprint of the server is neither checked nor displayed. As a result, a user connects to the server without the ability to verify its authenticity. (CVE-2021-36370)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-36370
https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/5SJPZ2MSI7IPFCS5TFZZVXF4NN6XKYKJ/
========================

Updated package in core/updates_testing:
========================
mc-4.8.27-1.mga8

from SRPM:
mc-4.8.27-1.mga8.src.rpm

Assignee: bugsquad => qa-bugs
CC: (none) => nicolas.salguero
CVE: (none) => CVE-2021-36370
Status: NEW => ASSIGNED
Status comment: Fixed upstream in 4.8.27 => (none)

Comment 2 PC LX 2022-03-03 14:03:36 CET 
Installed and tested.

I occasionally use mc to manage local and remote file systems (using shell link) but I've never been able to make sftp work. This update is no different.

Tested with my usual workflow and saw no regressions so its a partial OK from me.


System: Mageia 8, x86_64, Intel CPU.


$ uname -a
Linux marte 5.15.23-desktop-1.mga8 #1 SMP Fri Feb 11 09:56:46 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux
$ rpm -q mc
mc-4.8.27-1.mga8

CC: (none) => mageia

Comment 3 Hugues Detavernier 2022-03-03 14:17:10 CET 
Mageia 8 X64 Gnome VmWare
Installed without problem.

MC works fine.


$ rpm -q mc
mc-4.8.27-1.mga8

CC: (none) => hdetavernier

David Walser 2022-03-03 20:27:25 CET

Whiteboard: (none) => MGA8-64-OK

Comment 4 Thomas Andrews 2022-03-03 21:37:30 CET 
Validating. Advisory in Comment 1.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Dave Hodgins 2022-03-06 02:05:58 CET

CC: (none) => davidwhodgins
Keywords: (none) => advisory

Comment 5 Mageia Robot 2022-03-06 11:41:28 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2022-0086.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED