PuTTY 0.74 has been released on June 27: https://www.chiark.greenend.org.uk/~sgtatham/putty/changes.html As usual, it contains a security fix. Filezilla will also have to be fixed, but it doesn't look like they have done so upstream yet.
putty updated for mga7, waiting for Filezilla upstream fixes!
putty-0.74-1.mga7 was uploaded. There's probably a CVE, which upstream doesn't like to list, so hopefully I'll see something from another distro soon.
Fedora has issued advisories for filezilla and libfilezilla on July 4: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/IRKUHQP6O6TGN64SI7PYCKHJT24Y2EY2/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/IRAC73KPNR4HKTRKJNLIZXCYIP6STUZN/ They updated to filezilla 3.48.1 and libfilezilla 0.22.0. I'm guessing that's related to this.
Nop upstream filezilla haven't yet ported bundled putty to latest 0.74 release.
This is CVE-2020-14002. Fedora has issued an advisory for this on July 9: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/26TACCSQYYCPWAJYNAUIXJGZ5RGORJZV/
Summary: putty 0.74 update fixes security issue => putty 0.74 update fixes security issue (CVE-2020-14002)
David, is there an updated filezilla available now?
There is a new release 3.50.0 but without putty security fixes for now: https://svn.filezilla-project.org/filezilla/FileZilla3/trunk/src/putty/
Blocks: (none) => 27231
Split filezilla to Bug 27231 to push the PuTTY update. Advisory: ======================== Updated putty package fixes security vulnerability: PuTTY 0.68 through 0.73 has an Observable Discrepancy leading to an information leak in the algorithm negotiation. This allows man-in-the-middle attackers to target initial connection attempts (where no host key for the server has been cached by the client) (CVE-2020-14002). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14002 https://www.chiark.greenend.org.uk/~sgtatham/putty/changes.html https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/26TACCSQYYCPWAJYNAUIXJGZ5RGORJZV/ ======================== Updated packages in core/updates_testing: ======================== putty-0.74-1.mga7 from putty-0.74-1.mga7.src.rpm
Assignee: geiger.david68210 => qa-bugs
mga7, x86_64 Updated putty and tried the SSH connection only. Connected to login on another node of the LAN with user agent and authorized keys. Commandline worked fine. Logged out OK. Tried $ putty -X -l lcl Connected to the other LAN node - terminal window appeared, user already logged in when the machine name was specified. Executed a small ruby script which posted a window on the local machine which responded to the exit button. Tried something a little more complicated, another gui with images and popup windows. These could be closed down but not moved. putty closed down when exit or logout was typed. Seems to work fine with SSH. "Connection refused" for telnet port 23. Adding the OK.
CC: (none) => tarazed25
Whiteboard: (none) => MGA7-64-OK
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
Keywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2020-0358.html
Status: NEW => RESOLVEDResolution: (none) => FIXED
Blocks: (none) => 29186