Bug 17120 - filezilla new security issue CVE-2015-5309
Summary: filezilla new security issue CVE-2015-5309
Status: RESOLVED INVALID
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 5
Hardware: i586 Linux
Priority: Normal normal
Target Milestone: ---
Assignee: David GEIGER
QA Contact: Sec team
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2015-11-10 16:38 CET by David Walser
Modified: 2015-11-11 14:55 CET (History)
0 users

See Also:
Source RPM: filezilla-3.11.0.2-1.1.mga5.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2015-11-10 16:38:02 CET 
+++ This bug was initially created as a clone of Bug #17114 +++

Upstream has issued an advisory on November 7:
http://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/vuln-ech-overflow.html

The issue is fixed upstream in version 0.66.

FileZilla embeds a copy of PuTTY and needs to be updated once FileZilla has been updated to include PuTTY 0.66.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5309
http://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/vuln-ech-overflow.html
http://www.chiark.greenend.org.uk/~sgtatham/putty/changes.html
https://filezilla-project.org/newsfeed.php
Comment 1 David GEIGER 2015-11-11 11:31:24 CET 
@ David:

I just asked upstream to irc channel and they say:

david_david: 
- from http://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/vuln-ech-overflow.html: "Only PuTTY, PuTTYtel, and pterm are affected; other PuTTY tools do not include the terminal emulator, so cannot be exploited this way."

- SFTP support in FileZilla is based on PuTTY's psftp


So seems that filezilla package is not affected by CVE-2015-5309.
Comment 2 David Walser 2015-11-11 14:55:44 CET 
OK, thanks.

Status: NEW => RESOLVED
Resolution: (none) => INVALID
Note You need to log in before you can comment on or make changes to this bug.