From ${URL} : From the src/SSH_Access.cc file: 47: const char *y="(yes/no)?"; 73: if(s>=y_len && !strncasecmp(b+s-y_len,y,y_len)) 74: { 75: pty_recv_buf->Put("yes\n"); 76: pty_send_buf->Put("yes\n"); 77: return m; 78: } Not only does it make a particular SFTP file transfer insecure, but also any future connection via any SSH client. After enabling debug (the "yes" answer generated automatically): #v+ $ lftp sftp://mszewczyk@localhost:22203 Password: lftp mszewczyk@localhost:~> debug lftp mszewczyk@localhost:~> ls ---- Running connect program (ssh -a -x -s -l mszewczyk -p 22203 localhost sftp) ---> sending a packet, length=5, type=1(INIT), id=0 <--- The authenticity of host '[localhost]:22203 ([::1]:22203)' can't be established. <--- RSA key fingerprint is 84:a2:ec:3d:98:1e:95:e6:e4:68:d9:a4:31:92:f7:8d. <--- Are you sure you want to continue connecting (yes/no)? yes <--- <--- Warning: Permanently added '[localhost]:22203' (RSA) to the list of known hosts. #v- --8<-- @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
"lftp does not ask the user asynchronously by design. I can make a setting to disable accessing unknown hosts by default." And also https://github.com/lavv17/lftp/commit/bc7b476e782d77839765f56bbdb4cee9f36b54ec but I'd rather wait until that is properly released.
Development snapshot 4.6.1.20150401 should fix this but will not go stable.
"lftp-4.6.2 has been released. Changes: * fixed a wildcard certificate validation vulnerability (CVE-2014-0139). * new settings fish:auto-confirm and sftp:auto-confirm. Arch teams, please test and mark stable: =net-ftp/lftp-4.6.2 Targeted stable KEYWORDS : alpha amd64 arm hppa ia64 ppc ppc64 sparc x86
Stable for HPPA.
amd64 stable
x86 stable
ppc64 stable
ppc stable
sparc stable
alpha stable
ia64 stable
arm stable, all arches done.
All done.
Arches and Maintainer(s), Thank you for your work. CVE Requested here - http://seclists.org/oss-sec/2015/q1/819 Security Please Vote First GLSA Vote: No
NO too, closing.