--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: unblock: lftp/4.6.0-1+deb8u1
- From: Noël Köthe <noel@debian.org>
- Date: Sat, 31 Jan 2015 19:36:46 +0100
- Message-id: <20150131183646.23879.9077.reportbug@pro.example.org>
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock
Please unblock package lftp
lftp in jessie/testing accepts adds ssh host keys (fish/sftp) hardcoded.
This is fixed by the upstream patch.
Debian Bug #774769
Upstream Patch https://github.com/lavv17/lftp/commit/bc7b476e782d77839765f56bbdb4cee9f36b54ec
The bug is reported normal with the security tag and Moritz Mühlenhoff
asked for jessie integration.
Thanks for your work
Regards
Noël
# debdiff lftp_4.6.0-1.dsc lftp_4.6.0-1+deb8u1.dsc
diff -Nru lftp-4.6.0/debian/changelog lftp-4.6.0/debian/changelog
--- lftp-4.6.0/debian/changelog 2014-10-14 14:29:20.000000000 +0200
+++ lftp-4.6.0/debian/changelog 2015-01-31 18:32:39.000000000 +0100
@@ -1,3 +1,10 @@
+lftp (4.6.0-1+deb8u1) testing-proposed-updates; urgency=medium
+
+ * adding upstream patch to fix auto-confirm of ssh/sftp host keys
+ closes: Bug#774769
+
+ -- Noël Köthe <noel@debian.org> Sat, 31 Jan 2015 18:29:33 +0100
+
lftp (4.6.0-1) unstable; urgency=medium
* new upstream release from 2014-10-14
diff -Nru lftp-4.6.0/debian/patches/add-settingsfish_auto-confirmandsftp_auto-confirm.patch lftp-4.6.0/debian/patches/add-settingsfish_auto-confirmandsftp_auto-confirm.patch
--- lftp-4.6.0/debian/patches/add-settingsfish_auto-confirmandsftp_auto-confirm.patch 1970-01-01 01:00:00.000000000 +0100
+++ lftp-4.6.0/debian/patches/add-settingsfish_auto-confirmandsftp_auto-confirm.patch 2015-01-31 18:24:16.000000000 +0100
@@ -0,0 +1,78 @@
+From bc7b476e782d77839765f56bbdb4cee9f36b54ec Mon Sep 17 00:00:00 2001
+From: "Alexander V. Lukyanov" <lavv17f@gmail.com>
+Date: Tue, 13 Jan 2015 15:33:54 +0300
+Subject: [PATCH] add settings fish:auto-confirm and sftp:auto-confirm
+
+New host keys are now not confirmed by default, this should improve security.
+Suggested by Marcin Szewczyk <Marcin.Szewczyk@wodny.org>
+---
+ doc/lftp.1 | 8 ++++++++
+ src/SSH_Access.cc | 5 +++--
+ src/resource.cc | 2 ++
+ 3 files changed, 13 insertions(+), 2 deletions(-)
+
+diff --git a/doc/lftp.1 b/doc/lftp.1
+index cabc1be..ed6c388 100644
+--- a/doc/lftp.1
++++ b/doc/lftp.1
+@@ -1384,6 +1384,10 @@ address family in dns:order.
+ .BR file:charset \ (string)
+ local character set. It is set from current locale initially.
+ .TP
++.BR fish:auto-confirm \ (boolean)
++when true, lftp answers ``yes'' to all ssh questions, in particular to the
++question about a new host key. Otherwise it answers ``no''.
++.TP
+ .BR fish:charset \ (string)
+ the character set used by fish server in requests, replies and file listings.
+ Default is empty which means the same as local.
+@@ -1952,6 +1956,10 @@ minimal chunk size to split the file to.
+ save pget transfer status this often. Set to `never' to disable saving of the status file.
+ The status is saved to a file with suffix \fI.lftp-pget-status\fP.
+ .TP
++.BR sftp:auto-confirm \ (boolean)
++when true, lftp answers ``yes'' to all ssh questions, in particular to the
++question about a new host key. Otherwise it answers ``no''.
++.TP
+ .BR sftp:charset \ (string)
+ the character set used by SFTP server in file names and file listings.
+ Default is empty which means the same as local. This setting is only used
+diff --git a/src/SSH_Access.cc b/src/SSH_Access.cc
+index 706fc6a..17c716d 100644
+--- a/src/SSH_Access.cc
++++ b/src/SSH_Access.cc
+@@ -72,8 +72,9 @@ int SSH_Access::HandleSSHMessage()
+ }
+ if(s>=y_len && !strncasecmp(b+s-y_len,y,y_len))
+ {
+- pty_recv_buf->Put("yes\n");
+- pty_send_buf->Put("yes\n");
++ const char *answer=QueryBool("auto-confirm",hostname)?"yes\n":"no\n";
++ pty_recv_buf->Put(answer);
++ pty_send_buf->Put(answer);
+ return m;
+ }
+ if(!received_greeting && recv_buf->Size()>0)
+diff --git a/src/resource.cc b/src/resource.cc
+index 91b2e60..3a5e8b9 100644
+--- a/src/resource.cc
++++ b/src/resource.cc
+@@ -339,6 +339,7 @@ static ResType lftp_vars[] = {
+ {"mirror:no-empty-dirs", "no", ResMgr::BoolValidate,ResMgr::NoClosure},
+ {"mirror:require-source", "no", ResMgr::BoolValidate,ResMgr::NoClosure},
+
++ {"sftp:auto-confirm", "no", ResMgr::BoolValidate,0},
+ {"sftp:max-packets-in-flight","16", ResMgr::UNumberValidate,0},
+ {"sftp:protocol-version", "6", ResMgr::UNumberValidate,0},
+ {"sftp:size-read", "32k", ResMgr::UNumberValidate,0},
+@@ -367,6 +368,7 @@ static ResType lftp_vars[] = {
+ {"dns:strict-dnssec", "no", ResMgr::BoolValidate,0},
+ #endif
+
++ {"fish:auto-confirm", "no", ResMgr::BoolValidate,0},
+ {"fish:shell", "/bin/sh",0,0},
+ {"fish:connect-program", "ssh -a -x",0,0},
+ {"fish:charset", "", ResMgr::CharsetValidate,0},
+--
+2.1.4
+
diff -Nru lftp-4.6.0/debian/patches/series lftp-4.6.0/debian/patches/series
--- lftp-4.6.0/debian/patches/series 2014-06-03 11:08:12.000000000 +0200
+++ lftp-4.6.0/debian/patches/series 2015-01-31 18:33:43.000000000 +0100
@@ -1,3 +1,4 @@
config-dns-inet6_before_inet.patch
lftp_sys-stdint-kfreebsd.patch
+add-settingsfish_auto-confirmandsftp_auto-confirm.patch
unblock lftp/4.6.0-1+deb8u1
-- System Information:
Debian Release: 8.0
APT prefers unstable
APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 3.16.0-4-amd64 (SMP w/4 CPU cores)
Locale: LANG=de_DE.utf8, LC_CTYPE=de_DE.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
--- End Message ---