Package: release.debian.org Severity: normal User: release.debian....@packages.debian.org Usertags: unblock
Please unblock package lftp lftp in jessie/testing accepts adds ssh host keys (fish/sftp) hardcoded. This is fixed by the upstream patch. Debian Bug #774769 Upstream Patch https://github.com/lavv17/lftp/commit/bc7b476e782d77839765f56bbdb4cee9f36b54ec The bug is reported normal with the security tag and Moritz Mühlenhoff asked for jessie integration. Thanks for your work Regards Noël # debdiff lftp_4.6.0-1.dsc lftp_4.6.0-1+deb8u1.dsc diff -Nru lftp-4.6.0/debian/changelog lftp-4.6.0/debian/changelog --- lftp-4.6.0/debian/changelog 2014-10-14 14:29:20.000000000 +0200 +++ lftp-4.6.0/debian/changelog 2015-01-31 18:32:39.000000000 +0100 @@ -1,3 +1,10 @@ +lftp (4.6.0-1+deb8u1) testing-proposed-updates; urgency=medium + + * adding upstream patch to fix auto-confirm of ssh/sftp host keys + closes: Bug#774769 + + -- Noël Köthe <n...@debian.org> Sat, 31 Jan 2015 18:29:33 +0100 + lftp (4.6.0-1) unstable; urgency=medium * new upstream release from 2014-10-14 diff -Nru lftp-4.6.0/debian/patches/add-settingsfish_auto-confirmandsftp_auto-confirm.patch lftp-4.6.0/debian/patches/add-settingsfish_auto-confirmandsftp_auto-confirm.patch --- lftp-4.6.0/debian/patches/add-settingsfish_auto-confirmandsftp_auto-confirm.patch 1970-01-01 01:00:00.000000000 +0100 +++ lftp-4.6.0/debian/patches/add-settingsfish_auto-confirmandsftp_auto-confirm.patch 2015-01-31 18:24:16.000000000 +0100 @@ -0,0 +1,78 @@ +From bc7b476e782d77839765f56bbdb4cee9f36b54ec Mon Sep 17 00:00:00 2001 +From: "Alexander V. Lukyanov" <lavv...@gmail.com> +Date: Tue, 13 Jan 2015 15:33:54 +0300 +Subject: [PATCH] add settings fish:auto-confirm and sftp:auto-confirm + +New host keys are now not confirmed by default, this should improve security. +Suggested by Marcin Szewczyk <marcin.szewc...@wodny.org> +--- + doc/lftp.1 | 8 ++++++++ + src/SSH_Access.cc | 5 +++-- + src/resource.cc | 2 ++ + 3 files changed, 13 insertions(+), 2 deletions(-) + +diff --git a/doc/lftp.1 b/doc/lftp.1 +index cabc1be..ed6c388 100644 +--- a/doc/lftp.1 ++++ b/doc/lftp.1 +@@ -1384,6 +1384,10 @@ address family in dns:order. + .BR file:charset \ (string) + local character set. It is set from current locale initially. + .TP ++.BR fish:auto-confirm \ (boolean) ++when true, lftp answers ``yes'' to all ssh questions, in particular to the ++question about a new host key. Otherwise it answers ``no''. ++.TP + .BR fish:charset \ (string) + the character set used by fish server in requests, replies and file listings. + Default is empty which means the same as local. +@@ -1952,6 +1956,10 @@ minimal chunk size to split the file to. + save pget transfer status this often. Set to `never' to disable saving of the status file. + The status is saved to a file with suffix \fI.lftp-pget-status\fP. + .TP ++.BR sftp:auto-confirm \ (boolean) ++when true, lftp answers ``yes'' to all ssh questions, in particular to the ++question about a new host key. Otherwise it answers ``no''. ++.TP + .BR sftp:charset \ (string) + the character set used by SFTP server in file names and file listings. + Default is empty which means the same as local. This setting is only used +diff --git a/src/SSH_Access.cc b/src/SSH_Access.cc +index 706fc6a..17c716d 100644 +--- a/src/SSH_Access.cc ++++ b/src/SSH_Access.cc +@@ -72,8 +72,9 @@ int SSH_Access::HandleSSHMessage() + } + if(s>=y_len && !strncasecmp(b+s-y_len,y,y_len)) + { +- pty_recv_buf->Put("yes\n"); +- pty_send_buf->Put("yes\n"); ++ const char *answer=QueryBool("auto-confirm",hostname)?"yes\n":"no\n"; ++ pty_recv_buf->Put(answer); ++ pty_send_buf->Put(answer); + return m; + } + if(!received_greeting && recv_buf->Size()>0) +diff --git a/src/resource.cc b/src/resource.cc +index 91b2e60..3a5e8b9 100644 +--- a/src/resource.cc ++++ b/src/resource.cc +@@ -339,6 +339,7 @@ static ResType lftp_vars[] = { + {"mirror:no-empty-dirs", "no", ResMgr::BoolValidate,ResMgr::NoClosure}, + {"mirror:require-source", "no", ResMgr::BoolValidate,ResMgr::NoClosure}, + ++ {"sftp:auto-confirm", "no", ResMgr::BoolValidate,0}, + {"sftp:max-packets-in-flight","16", ResMgr::UNumberValidate,0}, + {"sftp:protocol-version", "6", ResMgr::UNumberValidate,0}, + {"sftp:size-read", "32k", ResMgr::UNumberValidate,0}, +@@ -367,6 +368,7 @@ static ResType lftp_vars[] = { + {"dns:strict-dnssec", "no", ResMgr::BoolValidate,0}, + #endif + ++ {"fish:auto-confirm", "no", ResMgr::BoolValidate,0}, + {"fish:shell", "/bin/sh",0,0}, + {"fish:connect-program", "ssh -a -x",0,0}, + {"fish:charset", "", ResMgr::CharsetValidate,0}, +-- +2.1.4 + diff -Nru lftp-4.6.0/debian/patches/series lftp-4.6.0/debian/patches/series --- lftp-4.6.0/debian/patches/series 2014-06-03 11:08:12.000000000 +0200 +++ lftp-4.6.0/debian/patches/series 2015-01-31 18:33:43.000000000 +0100 @@ -1,3 +1,4 @@ config-dns-inet6_before_inet.patch lftp_sys-stdint-kfreebsd.patch +add-settingsfish_auto-confirmandsftp_auto-confirm.patch unblock lftp/4.6.0-1+deb8u1 -- System Information: Debian Release: 8.0 APT prefers unstable APT policy: (500, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 3.16.0-4-amd64 (SMP w/4 CPU cores) Locale: LANG=de_DE.utf8, LC_CTYPE=de_DE.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
