CVE-2021-36370: An issue was discovered in Midnight Commander through 4.8.26. When establishing an SFTP connection, the fingerprint of the server is neither checked nor displayed. As a result, a user connects to the server without the ability to verify its authenticity. Fixed in 4.8.27 according to https://midnight-commander.org/wiki/NEWS-4.8.27. Please remember to file security bugs when there are security issues in changelogs! Please stabilize 4.8.27.
Please cleanup.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=7bf490bf9bec287e3927af2df506fa63a9e245f1 commit 7bf490bf9bec287e3927af2df506fa63a9e245f1 Author: Lars Wendler <polynomial-c@gentoo.org> AuthorDate: 2021-10-01 09:42:55 +0000 Commit: Lars Wendler <polynomial-c@gentoo.org> CommitDate: 2021-10-01 09:42:55 +0000 app-misc/mc: Security cleanup Bug: https://bugs.gentoo.org/811159 Signed-off-by: Lars Wendler <polynomial-c@gentoo.org> app-misc/mc/Manifest | 1 - app-misc/mc/files/mc-4.8.26-file-seccomp.patch | 142 ------------------------- app-misc/mc/files/mc-4.8.26-shadow-crash.patch | 39 ------- app-misc/mc/mc-4.8.26-r4.ebuild | 125 ---------------------- app-misc/mc/mc-4.8.26-r5.ebuild | 131 ----------------------- 5 files changed, 438 deletions(-)
Very low impact, no GLSA. Thanks Lars!