| Summary: | filezilla new security issue CVE-2020-14002 due to bundled PuTTY | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | normal | ||
| Priority: | Normal | CC: | andrewsfarm, hdetavernier, herman.viaene, mageia, ouaurelien, sysadmin-bugs |
| Version: | 8 | Keywords: | advisory, validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | MGA8-64-OK | ||
| Source RPM: | filezilla-3.51.0-3.mga8.src.rpm, libfilezilla-0.25.0-2.mga8.src.rpm | CVE: | CVE-2020-14002 |
| Status comment: | |||
| Bug Depends on: | 26875 | ||
| Bug Blocks: | 27231 | ||
|
Description
David Walser
2021-06-29 00:30:18 CEST
There is filezilla-3.52.2-1.mga8.src.rpm in core/updates_testing. This is also affected. CC:
(none) =>
ouaurelien New filezilla added in mga8/9
src:
- libfilezilla-0.30.0-1.mga8
- filezilla-3.55.0-1.mga8Assignee:
geiger.david68210 =>
qa-bugs Updates bundled PuTTY to "pre-0.76" libfilezilla15-0.30.0-1.mga8 libfilezilla-i18n-0.30.0-1.mga8 libfilezilla-devel-0.30.0-1.mga8 filezilla-3.55.0-1.mga8 from SRPMS: libfilezilla-0.30.0-1.mga8.src.rpm filezilla-3.55.0-1.mga8.src.rpm Additional advisory reference: https://filezilla-project.org/versions.php Advisory: ======================== Updated filezilla and libfilezilla packages fix security vulnerability: filezilla embeds a PuTTY client that is vulnerable: PuTTY 0.68 through 0.73 has an Observable Discrepancy leading to an information leak in the algorithm negotiation. This allows man-in-the-middle attackers to target initial connection attempts (where no host key for the server has been cached by the client) (CVE-2020-14002). The filezilla packages are updated to fix this issue to 3.55.0 version among other bugfixes since 3.51.0 we shipped in Mageia 8. See upstream release notes for more informations. References: - https://bugs.mageia.org/show_bug.cgi?id=29186 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14002 - https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/26TACCSQYYCPWAJYNAUIXJGZ5RGORJZV/ - https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/IRKUHQP6O6TGN64SI7PYCKHJT24Y2EY2/ - https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/IRAC73KPNR4HKTRKJNLIZXCYIP6STUZN/ - https://www.chiark.greenend.org.uk/~sgtatham/putty/changes.html - https://filezilla-project.org/versions.php ======================== Updated packages in core/updates_testing: ======================== lib(64)filezilla15-0.30.0-1.mga8 lib(64)filezilla-i18n-0.30.0-1.mga8 lib(64)filezilla-devel-0.30.0-1.mga8 filezilla-3.55.0-1.mga8 from SRPMS: libfilezilla-0.30.0-1.mga8.src.rpm filezilla-3.55.0-1.mga8.src.rpm Mageia 8 X64 Gnome Installed without problem. Tested with uploaded, downloaded and removed files without problems. CC:
(none) =>
hdetavernier Strange: in QArepo:lib64filezilla-i18n-0.30.0-1.mga8 not found in the remote repository CC:
(none) =>
herman.viaene Forgot to mention: Dutch installation. i18n is just lib, not lib64. Yes, that did it. Aurelien, please don't put me on the wrong foot again, I've got already a bad leg.;) Connected filezill to my own webspae, works OK. Whiteboard:
(none) =>
MGA8-64-OK (In reply to Herman Viaene from comment #10) > Yes, that did it. > Aurelien, please don't put me on the wrong foot again, I've got already a > bad leg.;) > Connected filezill to my own webspae, works OK. Oups sorry. Validating. Advisory in Comment 5. Keywords:
(none) =>
validated_update
Aurelien Oudelet
2021-07-27 20:51:00 CEST
Keywords:
(none) =>
advisory An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2021-0380.html Resolution:
(none) =>
FIXED |