Candidate: CVE-2021-36370
PublicDate: 2021-08-30 19:15:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-36370
 https://github.com/MidnightCommander/mc/commit/9235d3c232d13ad7f973346077c9cf2eaa77dc5f
 https://github.com/MidnightCommander/mc/blob/master/src/vfs/sftpfs/connection.c
 https://github.com/MidnightCommander/mc/blob/5c1d3c55dd15356ec7d079084d904b7b0fd58d3e/src/vfs/sftpfs/connection.c#L484
 https://sourceforge.net/projects/mcwin32/files/
 https://midnight-commander.org/
Description:
 An issue was discovered in Midnight Commander through 4.8.26. When
 establishing an SFTP connection, the fingerprint of the server is neither
 checked nor displayed. As a result, a user connects to the server without
 the ability to verify its authenticity.
Ubuntu-Description:
Notes:
Mitigation:
Bugs:
Priority: medium
Discovered-by:
Assigned-to:
CVSS:
 nvd: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N [7.5 HIGH]


Patches_mc:
 upstream: https://github.com/MidnightCommander/mc/commit/9235d3c232d13ad7f973346077c9cf2eaa77dc5f
upstream_mc: released (3:4.8.27-1)
trusty_mc: ignored (out of standard support)
trusty/esm_mc: needed
xenial_mc: ignored (out of standard support)
bionic_mc: needed
focal_mc: needed
hirsute_mc: ignored (reached end-of-life)
impish_mc: needed
jammy_mc: needed
devel_mc: needed