Bug 27231

Summary: filezilla new security issue CVE-2020-14002 due to bundled PuTTY
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: David GEIGER <geiger.david68210>
Status: RESOLVED OLD QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: mageia
Version: 7   
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Source RPM: filezilla-3.46.3-1.mga7.src.rpm, libfilezilla-0.19.3-1.mga7.src.rpm CVE:
Status comment:
Bug Depends on: 26875, 29186    
Bug Blocks:    

Description David Walser 2020-08-31 14:42:30 CEST 
+++ This bug was initially created as a clone of Bug #26875 +++

PuTTY 0.74 has been released on June 27:
https://www.chiark.greenend.org.uk/~sgtatham/putty/changes.html

As usual, it contains a security fix.  Filezilla will also have to be fixed, but it doesn't look like they have done so upstream yet:
https://svn.filezilla-project.org/filezilla/FileZilla3/trunk/src/putty/

This is CVE-2020-14002.

Fedora has issued an advisory for this on July 9:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/26TACCSQYYCPWAJYNAUIXJGZ5RGORJZV/

Fedora has issued advisories for filezilla and libfilezilla on July 4:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/IRKUHQP6O6TGN64SI7PYCKHJT24Y2EY2/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/IRAC73KPNR4HKTRKJNLIZXCYIP6STUZN/

They updated to filezilla 3.48.1 and libfilezilla 0.22.0.

Apparently they don't fix this issue, however.
Comment 1 David Walser 2021-06-29 00:27:26 CEST 
On March 10, Nicolas built:
libfilezilla-0.27.0-1.mga7.src.rpm
filezilla-3.52.2-1.mga7.src.rpm

I don't think it fixed this, though.  It looks like FileZilla 3.54 was the first to update to PuTTY 0.74:
https://svn.filezilla-project.org/filezilla?view=revision&revision=10235
https://filezilla-project.org/

CC: (none) => mageia

David Walser 2021-06-29 00:30:18 CEST

Depends on: (none) => 29186

Comment 2 David Walser 2021-07-01 18:24:05 CEST 
https://blog.mageia.org/en/2021/06/08/mageia-7-will-reach-end-of-support-on-30th-of-june-the-king-is-dead-long-live-the-king/

Status: NEW => RESOLVED
Resolution: (none) => OLD