desktop-packages team mailing list archive

[Rolf Leggewie <760381@xxxxxxxxxxxxxxxxxx>]

lucid has seen the end of its life and is no longer receiving any
updates. Marking the lucid task for this ticket as "Won't Fix".

** Changed in: remmina (Ubuntu Lucid)
       Status: Confirmed => Won't Fix

-- 
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to remmina in Ubuntu.
https://bugs.launchpad.net/bugs/760381

Title:
  Remmina does not check SSH host keys

Status in remmina package in Ubuntu:
  Fix Released
Status in remmina source package in Lucid:
  Won't Fix
Status in remmina source package in Maverick:
  Won't Fix
Status in remmina source package in Natty:
  Won't Fix
Status in remmina source package in Oneiric:
  Won't Fix
Status in remmina source package in Precise:
  Fix Released

Bug description:
  Binary package hint: remmina

  Prior to Feb 2 2011 [in git], Remmina did not check SSH server keys at
  all, so it was vulnerable to a man-in-the-middle attack. These attacks
  are known to have occured in the wild in certain environments, so I
  believe the package should be patched in the actively-supported
  distributions to perform this check. Of particular interest to me is
  the LTS release, 10.04.

  To reproduce: change a server key in .ssh/known_hosts. Observe how
  command-line ssh puts up big warnings about the change key. However,
  remmina ssh connects without even a hint of something being amiss.

  The attached patch is from the maintainer, Vic Lee. You can also find
  it in remmina git, commit 1e20ab0c8e9e4f7fcdf671741005d433b9169a73.
  Vic says the patch should apply cleanly to older versions, as well.

  Regards,
  Ovy

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/remmina/+bug/760381/+subscriptions