Bug 16121

Summary: filezilla new LOGJAM-related issue fixed upstream in 3.11.0.1
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: brtians1, davidwhodgins, geiger.david68210, ottoleipala1, shlomif, sysadmin-bugs, wilcal.int
Version: 5Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/648188/
Whiteboard: MGA4TOO MGA5-32-OK MGA4-64-OK MGA4-32-OK MGA5-64-OK advisory
Source RPM: filezilla-3.10.2-1.mga5.src.rpm CVE:
Status comment:

Description David Walser 2015-06-15 22:51:55 CEST 
Fedora has issued an advisory on June 5:
https://lists.fedoraproject.org/pipermail/package-announce/2015-June/160110.html

I believe the impetus for the update was a change in 3.11.0.1 (even though they updated to 3.11.0.2), seen here:
https://filezilla-project.org/versions.php

"Reject Diffie-Hellman Groups smaller than 1024 bits when using FTP over TLS to protect against the Logjam attack"

Reproducible: 

Steps to Reproduce:
David Walser 2015-06-15 22:52:05 CEST

Whiteboard: (none) => MGA5TOO, MGA4TOO

Comment 1 David GEIGER 2015-06-17 19:48:02 CEST 
Once Cauldron is reopened I'll update filezilla to 3.11.0.2 version for mga4, mga5 and Cauldron too.
Comment 2 David Walser 2015-06-20 23:25:16 CEST 
Updated packages uploaded for Mageia 4, Mageia 5, and Cauldron by David.  Thanks!

Advisory:
========================

Updated filezilla package fixes security vulnerability:

The filezilla package has been updated to version 3.11.0.2, fixing multiple
bugs and one security issue, related to the LOGJAM TLS issue when using FTP.

References:
https://filezilla-project.org/versions.php
https://lists.fedoraproject.org/pipermail/package-announce/2015-June/160110.html
========================

Updated packages in core/updates_testing:
========================
filezilla-3.11.0.2-1.mga4
filezilla-3.11.0.2-1.mga5

from SRPMS:
filezilla-3.11.0.2-1.mga4.src.rpm
filezilla-3.11.0.2-1.mga5.src.rpm

CC: (none) => geiger.david68210
Version: Cauldron => 5
Assignee: geiger.david68210 => qa-bugs
Whiteboard: MGA5TOO, MGA4TOO => MGA4TOO

Comment 3 Brian Rockwell 2015-06-27 21:32:35 CEST 
MGA5-x86_64 - testing

CC: (none) => brtians1

Comment 4 William Kenney 2015-06-30 23:44:08 CEST 
In VirtualBox, M4, KDE, 32-bit

Package(s) under test:
filezilla

default install of filezilla

[root@localhost wilcal]# urpmi filezilla
Package filezilla-3.10.2-1.mga4.i586 is already installed

I can transfer files to and from an FTP server. And rename them.

install filezilla from updates_testing

[root@localhost wilcal]# urpmi filezilla
Package filezilla-3.11.0.2-1.mga4.i586 is already installed

I can transfer files to and from an FTP server. And rename them.

Test platform:
Intel Core i7-2600K Sandy Bridge 3.4GHz
GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo
GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB
RTL8111/8168B PCI Express 1Gbit Ethernet
DRAM 16GB (4 x 4GB)
Mageia 4 64-bit, Nvidia driver
virtualbox-4.3.26-1.mga4.x86_64
virtualbox-guest-additions-4.3.26-1.mga4.x86_64

CC: (none) => wilcal.int

Comment 5 William Kenney 2015-06-30 23:44:50 CEST 
In VirtualBox, M4, KDE, 64-bit

Package(s) under test:
filezilla

default install of filezilla

[root@localhost wilcal]# urpmi filezilla
Package filezilla-3.10.2-1.mga4.x86_64 is already installed

I can transfer files to and from an FTP server. And rename them.

install filezilla from updates_testing

[root@localhost wilcal]# urpmi filezilla
Package filezilla-3.11.0.2-1.mga4.x86_64 is already installed

I can transfer files to and from an FTP server. And rename them.

Test platform:
Intel Core i7-2600K Sandy Bridge 3.4GHz
GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo
GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB
RTL8111/8168B PCI Express 1Gbit Ethernet
DRAM 16GB (4 x 4GB)
Mageia 4 64-bit, Nvidia driver
virtualbox-4.3.26-1.mga4.x86_64
virtualbox-guest-additions-4.3.26-1.mga4.x86_64
Comment 6 William Kenney 2015-07-01 01:31:28 CEST 
In VirtualBox, M5, KDE, 32-bit

Package(s) under test:
filezilla

default install of filezilla

[root@localhost wilcal]# urpmi filezilla
Package filezilla-3.10.2-1.mga5.i586 is already installed

I can transfer files to and from an FTP server. And rename them.

install filezilla from updates_testing

[root@localhost wilcal]# urpmi filezilla
Package filezilla-3.11.0.2-1.mga5.i586 is already installed

I can transfer files to and from an FTP server. And rename them.

Test platform:
Intel Core i7-2600K Sandy Bridge 3.4GHz
GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo
GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB
RTL8111/8168B PCI Express 1Gbit Ethernet
DRAM 16GB (4 x 4GB)
Mageia 4 64-bit, Nvidia driver
virtualbox-4.3.26-1.mga4.x86_64
virtualbox-guest-additions-4.3.26-1.mga4.x86_64
Comment 7 William Kenney 2015-07-01 01:31:59 CEST 
In VirtualBox, M5, KDE, 64-bit

Package(s) under test:
filezilla

default install of filezilla

[root@localhost wilcal]# urpmi filezilla
Package filezilla-3.10.2-1.mga5.x86_64 is already installed

I can transfer files to and from an FTP server. And rename them.

install filezilla from updates_testing

[root@localhost wilcal]# urpmi filezilla
Package filezilla-3.11.0.2-1.mga5.x86_64 is already installed

I can transfer files to and from an FTP server. And rename them.

Test platform:
Intel Core i7-2600K Sandy Bridge 3.4GHz
GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo
GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB
RTL8111/8168B PCI Express 1Gbit Ethernet
DRAM 16GB (4 x 4GB)
Mageia 4 64-bit, Nvidia driver
virtualbox-4.3.26-1.mga4.x86_64
virtualbox-guest-additions-4.3.26-1.mga4.x86_64
Comment 8 David GEIGER 2015-07-01 06:56:14 CEST 
Tested mga5_64,


Testing complete for filezilla-3.11.0.2-1.mga5, ok for me nothing to report.

Whiteboard: MGA4TOO => MGA4TOO MGA5-64-OK

Comment 9 Otto Leipälä 2015-07-01 08:17:19 CEST 
Wilcal we need to only test one arch testing until list is little bit more clear.

CC: (none) => ozkyster

Comment 10 Shlomi Fish 2015-07-01 17:04:12 CEST 
adding the MGA{4,5}-{32,64}-OK keywords per the comments.

CC: (none) => shlomif
Whiteboard: MGA4TOO MGA5-64-OK => MGA4TOO MGA5-32-OK MGA4-64-OK MGA4-32-OK MGA5-64-OK

Comment 11 Dave Hodgins 2015-07-01 23:13:55 CEST 
Advisory committed to svn.

Someone from the sysadmin team please push 16121.adv to updates for Mageia 4 and 5.

CC: (none) => davidwhodgins
Whiteboard: MGA4TOO MGA5-32-OK MGA4-64-OK MGA4-32-OK MGA5-64-OK => MGA4TOO MGA5-32-OK MGA4-64-OK MGA4-32-OK MGA5-64-OK advisory

Comment 12 Dave Hodgins 2015-07-01 23:15:18 CEST 
Sorry, forgot to add the validated_update keyword.

Someone from the sysadmin team please push 16121.adv to updates for Mageia 4 and 5.

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 13 Mageia Robot 2015-07-05 19:23:27 CEST 
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2015-0260.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED