USN-5160-1: Midnight Commander vulnerability
9 August 2022
Midnight Commander could be made to access a spoofed server instance.
Releases
Packages
- mc - Midnight Commander - a powerful file manager
Details
It was discovered that Midnight Commander would not check server fingerprints
when establishing an SFTP connection. If a remote attacker were able to intercept
communications this flaw could be exploited to impersonate the SFTP server.
Update instructions
The problem can be corrected by updating your system to the following package versions:
Ubuntu 20.04
-
mc-data
-
3:4.8.24-2ubuntu1+esm1
Available with Ubuntu Pro
-
mc
-
3:4.8.24-2ubuntu1+esm1
Available with Ubuntu Pro
Ubuntu 18.04
-
mc-data
-
3:4.8.19-1ubuntu0.1~esm1
Available with Ubuntu Pro
-
mc
-
3:4.8.19-1ubuntu0.1~esm1
Available with Ubuntu Pro
Ubuntu 16.04
-
mc-data
-
3:4.8.15-2ubuntu0.1~esm1
Available with Ubuntu Pro
-
mc
-
3:4.8.15-2ubuntu0.1~esm1
Available with Ubuntu Pro
Ubuntu 14.04
-
mc-data
-
3:4.8.11-1ubuntu0.1~esm1
Available with Ubuntu Pro
-
mc
-
3:4.8.11-1ubuntu0.1~esm1
Available with Ubuntu Pro
In general, a standard system update will make all the necessary changes.