Bug 30107 - mc new security issue CVE-2021-36370
Summary: mc new security issue CVE-2021-36370
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 8
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA8-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2022-03-02 20:44 CET by David Walser
Modified: 2022-03-06 11:41 CET (History)
6 users (show)

See Also:
Source RPM: mc-4.8.26-1.mga8.src.rpm
CVE: CVE-2021-36370
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2022-03-02 20:44:13 CET 
openSUSE has issued an advisory on March 1:
https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/5SJPZ2MSI7IPFCS5TFZZVXF4NN6XKYKJ/

The issue is fixed upstream in 4.8.27.
David Walser 2022-03-02 20:44:30 CET

Status comment: (none) => Fixed upstream in 4.8.27

Comment 1 Nicolas Salguero 2022-03-02 21:46:45 CET 
Suggested advisory:
========================

The updated package fixes a security vulnerability:

An issue was discovered in Midnight Commander through 4.8.26. When establishing an SFTP connection, the fingerprint of the server is neither checked nor displayed. As a result, a user connects to the server without the ability to verify its authenticity. (CVE-2021-36370)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-36370
https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/5SJPZ2MSI7IPFCS5TFZZVXF4NN6XKYKJ/
========================

Updated package in core/updates_testing:
========================
mc-4.8.27-1.mga8

from SRPM:
mc-4.8.27-1.mga8.src.rpm

Assignee: bugsquad => qa-bugs
CC: (none) => nicolas.salguero
CVE: (none) => CVE-2021-36370
Status: NEW => ASSIGNED
Status comment: Fixed upstream in 4.8.27 => (none)

Comment 2 PC LX 2022-03-03 14:03:36 CET 
Installed and tested.

I occasionally use mc to manage local and remote file systems (using shell link) but I've never been able to make sftp work. This update is no different.

Tested with my usual workflow and saw no regressions so its a partial OK from me.


System: Mageia 8, x86_64, Intel CPU.


$ uname -a
Linux marte 5.15.23-desktop-1.mga8 #1 SMP Fri Feb 11 09:56:46 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux
$ rpm -q mc
mc-4.8.27-1.mga8

CC: (none) => mageia

Comment 3 Hugues Detavernier 2022-03-03 14:17:10 CET 
Mageia 8 X64 Gnome VmWare
Installed without problem.

MC works fine.


$ rpm -q mc
mc-4.8.27-1.mga8

CC: (none) => hdetavernier

David Walser 2022-03-03 20:27:25 CET

Whiteboard: (none) => MGA8-64-OK

Comment 4 Thomas Andrews 2022-03-03 21:37:30 CET 
Validating. Advisory in Comment 1.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Dave Hodgins 2022-03-06 02:05:58 CET

CC: (none) => davidwhodgins
Keywords: (none) => advisory

Comment 5 Mageia Robot 2022-03-06 11:41:28 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2022-0086.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED
Note You need to log in before you can comment on or make changes to this bug.