diff --git a/lftp-4.6.1-auto-confirm.patch b/lftp-4.6.1-auto-confirm.patch
new file mode 100644
index 0000000..852f3d8
--- /dev/null
+++ b/lftp-4.6.1-auto-confirm.patch
@@ -0,0 +1,78 @@
+From bc7b476e782d77839765f56bbdb4cee9f36b54ec Mon Sep 17 00:00:00 2001
+From: "Alexander V. Lukyanov" <lavv17f@gmail.com>
+Date: Tue, 13 Jan 2015 15:33:54 +0300
+Subject: [PATCH] add settings fish:auto-confirm and sftp:auto-confirm
+
+New host keys are now not confirmed by default, this should improve security.
+Suggested by Marcin Szewczyk <Marcin.Szewczyk@wodny.org>
+---
+ doc/lftp.1        | 8 ++++++++
+ src/SSH_Access.cc | 5 +++--
+ src/resource.cc   | 2 ++
+ 3 files changed, 13 insertions(+), 2 deletions(-)
+
+diff --git a/doc/lftp.1 b/doc/lftp.1
+index cabc1be..ed6c388 100644
+--- a/doc/lftp.1
++++ b/doc/lftp.1
+@@ -1384,6 +1384,10 @@ address family in dns:order.
+ .BR file:charset \ (string)
+ local character set. It is set from current locale initially.
+ .TP
++.BR fish:auto-confirm \ (boolean)
++when true, lftp answers ``yes'' to all ssh questions, in particular to the
++question about a new host key. Otherwise it answers ``no''.
++.TP
+ .BR fish:charset \ (string)
+ the character set used by fish server in requests, replies and file listings.
+ Default is empty which means the same as local.
+@@ -1952,6 +1956,10 @@ minimal chunk size to split the file to.
+ save pget transfer status this often. Set to `never' to disable saving of the status file.
+ The status is saved to a file with suffix \fI.lftp-pget-status\fP.
+ .TP
++.BR sftp:auto-confirm \ (boolean)
++when true, lftp answers ``yes'' to all ssh questions, in particular to the
++question about a new host key. Otherwise it answers ``no''.
++.TP
+ .BR sftp:charset \ (string)
+ the character set used by SFTP server in file names and file listings.
+ Default is empty which means the same as local. This setting is only used
+diff --git a/src/SSH_Access.cc b/src/SSH_Access.cc
+index 706fc6a..17c716d 100644
+--- a/src/SSH_Access.cc
++++ b/src/SSH_Access.cc
+@@ -72,8 +72,9 @@ int SSH_Access::HandleSSHMessage()
+       }
+       if(s>=y_len && !strncasecmp(b+s-y_len,y,y_len))
+       {
+-	 pty_recv_buf->Put("yes\n");
+-	 pty_send_buf->Put("yes\n");
++	 const char *answer=QueryBool("auto-confirm",hostname)?"yes\n":"no\n";
++	 pty_recv_buf->Put(answer);
++	 pty_send_buf->Put(answer);
+ 	 return m;
+       }
+       if(!received_greeting && recv_buf->Size()>0)
+diff --git a/src/resource.cc b/src/resource.cc
+index 91b2e60..3a5e8b9 100644
+--- a/src/resource.cc
++++ b/src/resource.cc
+@@ -339,6 +339,7 @@ static ResType lftp_vars[] = {
+    {"mirror:no-empty-dirs",	 "no",	  ResMgr::BoolValidate,ResMgr::NoClosure},
+    {"mirror:require-source",	 "no",	  ResMgr::BoolValidate,ResMgr::NoClosure},
+ 
++   {"sftp:auto-confirm",	 "no",	  ResMgr::BoolValidate,0},
+    {"sftp:max-packets-in-flight","16",	  ResMgr::UNumberValidate,0},
+    {"sftp:protocol-version",	 "6",	  ResMgr::UNumberValidate,0},
+    {"sftp:size-read",		 "32k",	  ResMgr::UNumberValidate,0},
+@@ -367,6 +368,7 @@ static ResType lftp_vars[] = {
+    {"dns:strict-dnssec",	 "no",	  ResMgr::BoolValidate,0},
+ #endif
+ 
++   {"fish:auto-confirm",	 "no",	  ResMgr::BoolValidate,0},
+    {"fish:shell",		 "/bin/sh",0,0},
+    {"fish:connect-program",	 "ssh -a -x",0,0},
+    {"fish:charset",		 "",	  ResMgr::CharsetValidate,0},
+-- 
+2.1.0
+
diff --git a/lftp.spec b/lftp.spec
index 567a2bc..9267b56 100644
--- a/lftp.spec
+++ b/lftp.spec
@@ -1,7 +1,7 @@
 Summary:	A sophisticated file transfer program
 Name:		lftp
 Version:	4.6.1
-Release:	3%{?dist}
+Release:	4%{?dist}
 License:	GPLv3+
 Group:		Applications/Internet
 Source0:	ftp://ftp.yar.ru/pub/source/%{name}/%{name}-%{version}.tar.xz
@@ -13,6 +13,7 @@ BuildRequires:	zlib-devel
 Patch1:  lftp-4.0.9-date_fmt.patch
 Patch2:  lftp-4.0.9-mirror302-1.patch
 Patch3:  lftp-4.0.9-mirror302-2.patch
+patch4:  lftp-4.6.1-auto-confirm.patch
 
 %description
 LFTP is a sophisticated ftp/http file transfer program. Like bash, it has job
@@ -35,6 +36,7 @@ Utility scripts for use with lftp.
 %patch1 -p1 -b .date_fmt
 %patch2 -p1 -b .mirror302-1
 %patch3 -p1 -b .mirror302-2
+%patch4 -p1 -b .auto-confirm
 
 #sed -i.rpath -e '/lftp_cv_openssl/s|-R.*lib||' configure
 sed -i.norpath -e \
@@ -97,6 +99,9 @@ rm -rf $RPM_BUILD_ROOT
 
 
 %changelog
+* Thu Feb 26 2015 Tomas Hozza <thozza@redhat.com> - 4.6.1-4
+- Don't auto accept remote host SSH fingerprint (new option auto-confirm) (#1180209)
+
 * Sat Feb 21 2015 Till Maas <opensource@till.name> - 4.6.1-3
 - Rebuilt for Fedora 23 Change
   https://fedoraproject.org/wiki/Changes/Harden_all_packages_with_position-independent_code