*** This bug is a security vulnerability ***
You have been subscribed to a public security bug by Marc Deslauriers
(mdeslaur):
Binary package hint: remmina
Prior to Feb 2 2011 [in git], Remmina did not check SSH server keys at
all, so it was vulnerable to a man-in-the-middle attack. These attacks
are known to have occured in the wild in certain environments, so I
believe the package should be patched in the actively-supported
distributions to perform this check. Of particular interest to me is the
LTS release, 10.04.
To reproduce: change a server key in .ssh/known_hosts. Observe how
command-line ssh puts up big warnings about the change key. However,
remmina ssh connects without even a hint of something being amiss.
The attached patch is from the maintainer, Vic Lee. You can also find it
in remmina git, commit 1e20ab0c8e9e4f7fcdf671741005d433b9169a73. Vic
says the patch should apply cleanly to older versions, as well.
Regards,
Ovy
** Affects: remmina (Ubuntu)
Importance: Undecided
Status: New
** Tags: libssh security ssh vnc
--
Remmina does not check SSH host keys
https://bugs.launchpad.net/bugs/760381
You received this bug notification because you are a member of Ubuntu Bugs,
which is a direct subscriber.
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
