openSUSE has issued an advisory on March 1: https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/5SJPZ2MSI7IPFCS5TFZZVXF4NN6XKYKJ/ The issue is fixed upstream in 4.8.27.
Status comment: (none) => Fixed upstream in 4.8.27
Suggested advisory: ======================== The updated package fixes a security vulnerability: An issue was discovered in Midnight Commander through 4.8.26. When establishing an SFTP connection, the fingerprint of the server is neither checked nor displayed. As a result, a user connects to the server without the ability to verify its authenticity. (CVE-2021-36370) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-36370 https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/5SJPZ2MSI7IPFCS5TFZZVXF4NN6XKYKJ/ ======================== Updated package in core/updates_testing: ======================== mc-4.8.27-1.mga8 from SRPM: mc-4.8.27-1.mga8.src.rpm
Assignee: bugsquad => qa-bugsCC: (none) => nicolas.salgueroCVE: (none) => CVE-2021-36370Status: NEW => ASSIGNEDStatus comment: Fixed upstream in 4.8.27 => (none)
Installed and tested. I occasionally use mc to manage local and remote file systems (using shell link) but I've never been able to make sftp work. This update is no different. Tested with my usual workflow and saw no regressions so its a partial OK from me. System: Mageia 8, x86_64, Intel CPU. $ uname -a Linux marte 5.15.23-desktop-1.mga8 #1 SMP Fri Feb 11 09:56:46 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux $ rpm -q mc mc-4.8.27-1.mga8
CC: (none) => mageia
Mageia 8 X64 Gnome VmWare Installed without problem. MC works fine. $ rpm -q mc mc-4.8.27-1.mga8
CC: (none) => hdetavernier
Whiteboard: (none) => MGA8-64-OK
Validating. Advisory in Comment 1.
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
CC: (none) => davidwhodginsKeywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2022-0086.html
Status: ASSIGNED => RESOLVEDResolution: (none) => FIXED