[SECURITY] p7zip: CVE-2015-1038

Corinna Vinschen corinna-cygwin@cygwin.com
Wed Feb 10 10:40:00 GMT 2016

On Feb  9 14:48, Tony Kelman wrote:
> >> I don't have anything for sourceware or cygwin.com in
> >> ~/.ssh/known_hosts, should I?
> >
> > In theory, yes. It's usually collected the first time you connect to
> > the host. The idea is to have a known key to compare the host against
> > to disallow MITM attacks.
> Hm okay, what's the best way to get this fixed then? Generate new
> ssh keys? Or someone else can NMU this since it's a security issue,
> my cygport including the new patch is at
> https://github.com/tkelman/cygwin-p7zip

I'm not sure in fact.  The error you got was related to the host keys,
not the user keys.  Changing the keys would probably not help, though
we can try that, of course.  What means "NMU"?


Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Maintainer                 cygwin AT cygwin DOT com
Red Hat
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: not available
URL: <http://cygwin.com/pipermail/cygwin-apps/attachments/20160210/8bd4e5c6/attachment.sig>

More information about the Cygwin-apps mailing list