+++ This bug was initially created as a clone of Bug #17942 +++ Upstream has issued an advisory on March 5: http://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/vuln-pscp-sink-sscanf.html The issue is fixed upstream in version 0.67. Götz updated it in Cauldron. Updated package checked into Mageia 5 SVN. It is having a strange build error right now, so we'll have to assign it to QA later when we can get it to build. Assigning to Götz for now. Advisory for the update is below. There will need to be a filezilla update (it bundles putty), but upstream hasn't made an update for this yet. Advisory: ======================== Updated putty package fixes security vulnerability: Many versions of PSCP in PuTTY prior to 0.67 have a stack corruption vulnerability in their treatment of the 'sink' direction (i.e. downloading from server to client) of the old-style SCP protocol. In order for this vulnerability to be exploited, the user must connect to a malicious server and attempt to download any file (CVE-2016-2563). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2563 http://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/vuln-pscp-sink-sscanf.html http://www.chiark.greenend.org.uk/~sgtatham/putty/changes.html ======================== Updated packages in core/updates_testing: ======================== putty-0.67-1.mga5 from putty-0.67-1.mga5.src.rpm
This is fixed upstream now in FileZilla 3.16.1.
Yes, and already submitted and uploaded in Cauldron this morning :)
Yes, I saw. Now we need it updated for Mageia 5.
If we want to update for mga5 so we have to import libfilezilla.
Updated packages uploaded by David. Thanks! Advisory: ======================== Updated filezilla package fixes security vulnerability: Many versions of PSCP in PuTTY prior to 0.67 have a stack corruption vulnerability in their treatment of the 'sink' direction (i.e. downloading from server to client) of the old-style SCP protocol. In order for this vulnerability to be exploited, the user must connect to a malicious server and attempt to download any file (CVE-2016-2563). FileZilla was vulnerable to this issue as it bundles a copy of PuTTY. The filezilla package has been updated to version 3.16.1, which fixes this issue and has many other fixes and enhancements. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2563 http://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/vuln-pscp-sink-sscanf.html http://www.chiark.greenend.org.uk/~sgtatham/putty/changes.html https://filezilla-project.org/ ======================== Updated packages in core/updates_testing: ======================== libfilezilla0-0.4.0.1-1.mga5 libfilezilla-devel-0.4.0.1-1.mga5 libpugixml1-1.7-1.mga5 libpugixml-devel-1.7-1.mga5 filezilla-3.16.1-1.mga5 from SRPMS: libfilezilla-0.4.0.1-1.mga5.src.rpm pugixml-1.7-1.mga5.src.rpm filezilla-3.16.1-1.mga5.src.rpm
CC: (none) => geiger.david68210Assignee: geiger.david68210 => qa-bugs
When testing filezilla, please ensure blender also functions (load/save/etc) with the new pugixml library $ urpmq --whatrequires lib64pugixml1 lib64OpenImageIO1.2 lib64pugixml-devel lib64pugixml1 $ urpmq --whatrequires lib64OpenImageIO1.2 blender lib64OpenImageIO-devel lib64OpenImageIO1.2 opencolorio openimageio
URL: (none) => http://lwn.net/Vulnerabilities/680462/
In VirtualBox, M5, KDE, 64-bit Package(s) under test: filezilla default filezilla of package [root@localhost wilcal]# urpmi filezilla Package filezilla-3.11.0.2-1.1.mga5.x86_64 is already installed [root@localhost wilcal]# urpmi blender Package blender-2.73a-1.mga5.x86_64 is already installed [root@localhost wilcal]# urpmi lib64pugixml1 Package lib64pugixml1-1.4-5.mga5.x86_64 is already installed I can transfer files to and from an FTP server, local and remote. I can rename downloaded files. In Vbox running blender from a terminal results in the following error: [wilcal@localhost ~]$ blender libGL error: pci id for fd 8: 80ee:beef, driver (null) libGL error: core dri or dri2 extension not found libGL error: failed to load driver: vboxvideo GLEW Error (0x0001): GLEW_ERROR_NO_GL_VERSION: Missing GL version Writing: /tmp/blender.crash.txt Segmentation fault
CC: (none) => wilcal.int
On real hardware, M5, KDE, 64-bit Package(s) under test: filezilla blender default filezilla of package [root@localhost wilcal]# urpmi filezilla Package filezilla-3.11.0.2-1.1.mga5.x86_64 is already installed [root@localhost wilcal]# urpmi lib64pugixml1 Package lib64pugixml1-1.4-5.mga5.x86_64 is already installed [root@localhost wilcal]# urpmi blender Package blender-2.73a-1.mga5.x86_64 is already installed I can transfer files to and from FTP servers, local and remote. I can rename downloaded files. Blender creates xxx.blender files. I can close them, reopen them, edit them and close them. install filezilla from updates_testing [root@localhost wilcal]# urpmi filezilla Package filezilla-3.16.1-1.mga5.x86_64 is already installed [root@localhost wilcal]# urpmi lib64pugixml1 Package lib64pugixml1-1.7-1.mga5.x86_64 is already installed [root@localhost wilcal]# urpmi blender Package blender-2.73a-1.mga5.x86_64 is already installed I can transfer files to and from FTP servers, local and remote. I can rename downloaded files. Blender creates xxx.blender files. I can close them, reopen them, edit them and close them again. Blender reopens previously created xxx.blender files. Test platform: Intel Core i7-2600K Sandy Bridge 3.4GHz GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB RTL8111/8168B PCI Express 1Gbit Ethernet DRAM 16GB (4 x 4GB) Mageia 5 64-bit, Nvidia driver
Whiteboard: (none) => MGA5-32-OK
On real hardware, M5, KDE, 32-bit Package(s) under test: filezilla blender default filezilla of package [root@localhost wilcal]# urpmi filezilla Package filezilla-3.11.0.2-1.1.mga5.i586 is already installed [root@localhost wilcal]# urpmi libpugixml1 Package libpugixml1-1.4-5.mga5.i586 is already installed [root@localhost wilcal]# urpmi blender Package blender-2.73a-1.mga5.i586 is already installed I can transfer files to and from FTP servers, local and remote. I can rename downloaded files. Blender creates xxx.blender files. I can close them, reopen them, edit them and close them. install filezilla from updates_testing [root@localhost wilcal]# urpmi filezilla Package filezilla-3.16.1-1.mga5.i586 is already installed [root@localhost wilcal]# urpmi libpugixml1 Package libpugixml1-1.7-1.mga5.i586 is already installed [root@localhost wilcal]# urpmi blender Package blender-2.73a-1.mga5.x86_64 is already installed I can transfer files to and from FTP servers, local and remote. I can rename downloaded files. Blender creates xxx.blender files. I can close them, reopen them, edit them and close them again. Blender reopens previously created xxx.blender files. Test platform: Intel, P4 530J 3.0 GHz, 800MHz FSB, 1MB L2, LGA 775 GigaByte GA-81915G Pro F4 i915G LGA 775 MoBo Marvel Yukon 88E8001 Gigabit LAN Intel High Def Audio, Azalia (C-Media 9880) (snd-hda-intel) Intel Graphics Media Accelerator 900 (Intel 82915G) Kingston 4GB (2 x 2GB) DDR400 PC-3200 250GB Seagate Kingwin KF-91-BK SATA Mobile Rack Kingwin KF-91-T-BK SATA Mobile Rack Tray Sony CD/DVD-RW DWQ120AB2
This update works fine. Testing complete for MGA5, 32-bit & 64-bit Validating the update. Could someone from the sysadmin team push to updates. Thanks
Keywords: (none) => validated_updateWhiteboard: MGA5-32-OK => MGA5-32-OK MGA5-64-OKCC: (none) => sysadmin-bugs
(In reply to William Kenney from comment #7) > In Vbox running blender from a terminal results in the following error: > > [wilcal@localhost ~]$ blender > libGL error: pci id for fd 8: 80ee:beef, driver (null) > libGL error: core dri or dri2 extension not found > libGL error: failed to load driver: vboxvideo > GLEW Error (0x0001): GLEW_ERROR_NO_GL_VERSION: Missing GL version > Writing: /tmp/blender.crash.txt > Segmentation fault Opened: Summary: Blender seg faults in a Vbox client https://bugs.mageia.org/show_bug.cgi?id=18035
CC: (none) => davidwhodginsWhiteboard: MGA5-32-OK MGA5-64-OK => MGA5-32-OK MGA5-64-OK advisory
An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2016-0118.html
Status: NEW => RESOLVEDResolution: (none) => FIXED