PuTTY 0.74 has been released on June 27:
As usual, it contains a security fix. Filezilla will also have to be fixed, but it doesn't look like they have done so upstream yet.
putty updated for mga7, waiting for Filezilla upstream fixes!
putty-0.74-1.mga7 was uploaded. There's probably a CVE, which upstream doesn't like to list, so hopefully I'll see something from another distro soon.
Fedora has issued advisories for filezilla and libfilezilla on July 4:
They updated to filezilla 3.48.1 and libfilezilla 0.22.0.
I'm guessing that's related to this.
Nop upstream filezilla haven't yet ported bundled putty to latest 0.74 release.
This is CVE-2020-14002.
Fedora has issued an advisory for this on July 9:
putty 0.74 update fixes security issue =>
putty 0.74 update fixes security issue (CVE-2020-14002)
David, is there an updated filezilla available now?
There is a new release 3.50.0 but without putty security fixes for now:
Split filezilla to Bug 27231 to push the PuTTY update.
Updated putty package fixes security vulnerability:
PuTTY 0.68 through 0.73 has an Observable Discrepancy leading to an information
leak in the algorithm negotiation. This allows man-in-the-middle attackers to
target initial connection attempts (where no host key for the server has been
cached by the client) (CVE-2020-14002).
Updated packages in core/updates_testing:
Updated putty and tried the SSH connection only.
Connected to login on another node of the LAN with user agent and authorized keys.
Commandline worked fine. Logged out OK.
$ putty -X -l lcl
Connected to the other LAN node - terminal window appeared, user already logged in when the machine name was specified. Executed a small ruby script which posted a window on the local machine which responded to the exit button. Tried something a little more complicated, another gui with images and popup windows. These could be closed down but not moved. putty closed down when exit or logout was typed.
Seems to work fine with SSH. "Connection refused" for telnet port 23.
Adding the OK.
An update for this issue has been pushed to the Mageia Updates repository.