Bug 17120

Summary: filezilla new security issue CVE-2015-5309
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: David GEIGER <geiger.david68210>
Status: RESOLVED INVALID QA Contact: Sec team <security>
Severity: normal    
Priority: Normal    
Version: 5   
Target Milestone: ---   
Hardware: i586   
OS: Linux   
Whiteboard:
Source RPM: filezilla-3.11.0.2-1.1.mga5.src.rpm CVE:
Status comment:

Description David Walser 2015-11-10 16:38:02 CET 
+++ This bug was initially created as a clone of Bug #17114 +++

Upstream has issued an advisory on November 7:
http://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/vuln-ech-overflow.html

The issue is fixed upstream in version 0.66.

FileZilla embeds a copy of PuTTY and needs to be updated once FileZilla has been updated to include PuTTY 0.66.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5309
http://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/vuln-ech-overflow.html
http://www.chiark.greenend.org.uk/~sgtatham/putty/changes.html
https://filezilla-project.org/newsfeed.php
Comment 1 David GEIGER 2015-11-11 11:31:24 CET 
@ David:

I just asked upstream to irc channel and they say:

david_david: 
- from http://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/vuln-ech-overflow.html: "Only PuTTY, PuTTYtel, and pterm are affected; other PuTTY tools do not include the terminal emulator, so cannot be exploited this way."

- SFTP support in FileZilla is based on PuTTY's psftp


So seems that filezilla package is not affected by CVE-2015-5309.
Comment 2 David Walser 2015-11-11 14:55:44 CET 
OK, thanks.

Status: NEW => RESOLVED
Resolution: (none) => INVALID