Bug 29186 - filezilla new security issue CVE-2020-14002 due to bundled PuTTY
Summary: filezilla new security issue CVE-2020-14002 due to bundled PuTTY
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 8
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA8-64-OK
Keywords: advisory, validated_update
Depends on: 26875
Blocks: 27231
  Show dependency treegraph
 
Reported: 2021-06-29 00:30 CEST by David Walser
Modified: 2021-07-27 22:23 CEST (History)
6 users (show)

See Also:
Source RPM: filezilla-3.51.0-3.mga8.src.rpm, libfilezilla-0.25.0-2.mga8.src.rpm
CVE: CVE-2020-14002
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2021-06-29 00:30:18 CEST 
+++ This bug was initially created as a clone of Bug #27231 +++

+++ This bug was initially created as a clone of Bug #26875 +++

PuTTY 0.74 has been released on June 27:
https://www.chiark.greenend.org.uk/~sgtatham/putty/changes.html

As usual, it contains a security fix.  Filezilla will also have to be fixed, but it doesn't look like they have done so upstream yet:
https://svn.filezilla-project.org/filezilla/FileZilla3/trunk/src/putty/

This is CVE-2020-14002.

Fedora has issued an advisory for this on July 9:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/26TACCSQYYCPWAJYNAUIXJGZ5RGORJZV/

Fedora has issued advisories for filezilla and libfilezilla on July 4:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/IRKUHQP6O6TGN64SI7PYCKHJT24Y2EY2/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/IRAC73KPNR4HKTRKJNLIZXCYIP6STUZN/

They updated to filezilla 3.48.1 and libfilezilla 0.22.0.

Apparently they don't fix this issue, however.

It looks like FileZilla 3.54 was the first to update to PuTTY 0.74:
https://svn.filezilla-project.org/filezilla?view=revision&revision=10235
https://filezilla-project.org/
Comment 1 Aurelien Oudelet 2021-07-20 21:44:38 CEST 
There is filezilla-3.52.2-1.mga8.src.rpm in core/updates_testing.

This is also affected.

CC: (none) => ouaurelien

Comment 2 Nicolas Lécureuil 2021-07-23 01:03:19 CEST 
New filezilla added in mga8/9


src:
    - libfilezilla-0.30.0-1.mga8
    - filezilla-3.55.0-1.mga8

Assignee: geiger.david68210 => qa-bugs

Comment 3 David Walser 2021-07-23 01:26:17 CEST 
Updates bundled PuTTY to "pre-0.76"

libfilezilla15-0.30.0-1.mga8
libfilezilla-i18n-0.30.0-1.mga8
libfilezilla-devel-0.30.0-1.mga8
filezilla-3.55.0-1.mga8

from SRPMS:
libfilezilla-0.30.0-1.mga8.src.rpm
filezilla-3.55.0-1.mga8.src.rpm
Comment 4 David Walser 2021-07-23 01:27:34 CEST 
Additional advisory reference:
https://filezilla-project.org/versions.php
Comment 5 Aurelien Oudelet 2021-07-23 11:07:52 CEST 
Advisory:
========================

Updated filezilla and libfilezilla packages fix security vulnerability:

filezilla embeds a PuTTY client that is vulnerable:
PuTTY 0.68 through 0.73 has an Observable Discrepancy leading to an information leak in the algorithm negotiation. This allows man-in-the-middle attackers to target initial connection attempts (where no host key for the server has been cached by the client) (CVE-2020-14002).

The filezilla packages are updated to fix this issue to 3.55.0 version among
other bugfixes since 3.51.0 we shipped in Mageia 8. See upstream release notes
for more informations.

References:
 - https://bugs.mageia.org/show_bug.cgi?id=29186
 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14002
 - https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/26TACCSQYYCPWAJYNAUIXJGZ5RGORJZV/
 - https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/IRKUHQP6O6TGN64SI7PYCKHJT24Y2EY2/
 - https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/IRAC73KPNR4HKTRKJNLIZXCYIP6STUZN/
 - https://www.chiark.greenend.org.uk/~sgtatham/putty/changes.html
 - https://filezilla-project.org/versions.php
========================

Updated packages in core/updates_testing:
========================
lib(64)filezilla15-0.30.0-1.mga8
lib(64)filezilla-i18n-0.30.0-1.mga8
lib(64)filezilla-devel-0.30.0-1.mga8
filezilla-3.55.0-1.mga8

from SRPMS:
libfilezilla-0.30.0-1.mga8.src.rpm
filezilla-3.55.0-1.mga8.src.rpm
Comment 6 Hugues Detavernier 2021-07-23 11:41:06 CEST 
Mageia 8 X64 Gnome

Installed without problem.

Tested with uploaded, downloaded and removed files without problems.

CC: (none) => hdetavernier

Comment 7 Herman Viaene 2021-07-26 15:38:50 CEST 
Strange: in QArepo:lib64filezilla-i18n-0.30.0-1.mga8 not found in the remote repository

CC: (none) => herman.viaene

Comment 8 Herman Viaene 2021-07-26 15:39:36 CEST 
Forgot to mention: Dutch installation.
Comment 9 David Walser 2021-07-26 16:05:27 CEST 
i18n is just lib, not lib64.
Comment 10 Herman Viaene 2021-07-26 16:24:35 CEST 
Yes, that did it.
Aurelien, please don't put me on the wrong foot again, I've got already a bad leg.;)
Connected filezill to my own webspae, works OK.

Whiteboard: (none) => MGA8-64-OK

Comment 11 Aurelien Oudelet 2021-07-26 17:49:16 CEST 
(In reply to Herman Viaene from comment #10)
> Yes, that did it.
> Aurelien, please don't put me on the wrong foot again, I've got already a
> bad leg.;)
> Connected filezill to my own webspae, works OK.

Oups sorry.
Comment 12 Thomas Andrews 2021-07-27 03:57:47 CEST 
Validating. Advisory in Comment 5.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Aurelien Oudelet 2021-07-27 20:51:00 CEST

Keywords: (none) => advisory
CVE: (none) => CVE-2020-14002

Comment 13 Mageia Robot 2021-07-27 22:23:34 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2021-0380.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED
Note You need to log in before you can comment on or make changes to this bug.