+++ This bug was initially created as a clone of Bug #27231 +++ +++ This bug was initially created as a clone of Bug #26875 +++ PuTTY 0.74 has been released on June 27: https://www.chiark.greenend.org.uk/~sgtatham/putty/changes.html As usual, it contains a security fix. Filezilla will also have to be fixed, but it doesn't look like they have done so upstream yet: https://svn.filezilla-project.org/filezilla/FileZilla3/trunk/src/putty/ This is CVE-2020-14002. Fedora has issued an advisory for this on July 9: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/26TACCSQYYCPWAJYNAUIXJGZ5RGORJZV/ Fedora has issued advisories for filezilla and libfilezilla on July 4: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/IRKUHQP6O6TGN64SI7PYCKHJT24Y2EY2/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/IRAC73KPNR4HKTRKJNLIZXCYIP6STUZN/ They updated to filezilla 3.48.1 and libfilezilla 0.22.0. Apparently they don't fix this issue, however. It looks like FileZilla 3.54 was the first to update to PuTTY 0.74: https://svn.filezilla-project.org/filezilla?view=revision&revision=10235 https://filezilla-project.org/
There is filezilla-3.52.2-1.mga8.src.rpm in core/updates_testing. This is also affected.
CC: (none) => ouaurelien
New filezilla added in mga8/9 src: - libfilezilla-0.30.0-1.mga8 - filezilla-3.55.0-1.mga8
Assignee: geiger.david68210 => qa-bugs
Updates bundled PuTTY to "pre-0.76" libfilezilla15-0.30.0-1.mga8 libfilezilla-i18n-0.30.0-1.mga8 libfilezilla-devel-0.30.0-1.mga8 filezilla-3.55.0-1.mga8 from SRPMS: libfilezilla-0.30.0-1.mga8.src.rpm filezilla-3.55.0-1.mga8.src.rpm
Additional advisory reference: https://filezilla-project.org/versions.php
Advisory: ======================== Updated filezilla and libfilezilla packages fix security vulnerability: filezilla embeds a PuTTY client that is vulnerable: PuTTY 0.68 through 0.73 has an Observable Discrepancy leading to an information leak in the algorithm negotiation. This allows man-in-the-middle attackers to target initial connection attempts (where no host key for the server has been cached by the client) (CVE-2020-14002). The filezilla packages are updated to fix this issue to 3.55.0 version among other bugfixes since 3.51.0 we shipped in Mageia 8. See upstream release notes for more informations. References: - https://bugs.mageia.org/show_bug.cgi?id=29186 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14002 - https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/26TACCSQYYCPWAJYNAUIXJGZ5RGORJZV/ - https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/IRKUHQP6O6TGN64SI7PYCKHJT24Y2EY2/ - https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/IRAC73KPNR4HKTRKJNLIZXCYIP6STUZN/ - https://www.chiark.greenend.org.uk/~sgtatham/putty/changes.html - https://filezilla-project.org/versions.php ======================== Updated packages in core/updates_testing: ======================== lib(64)filezilla15-0.30.0-1.mga8 lib(64)filezilla-i18n-0.30.0-1.mga8 lib(64)filezilla-devel-0.30.0-1.mga8 filezilla-3.55.0-1.mga8 from SRPMS: libfilezilla-0.30.0-1.mga8.src.rpm filezilla-3.55.0-1.mga8.src.rpm
Mageia 8 X64 Gnome Installed without problem. Tested with uploaded, downloaded and removed files without problems.
CC: (none) => hdetavernier
Strange: in QArepo:lib64filezilla-i18n-0.30.0-1.mga8 not found in the remote repository
CC: (none) => herman.viaene
Forgot to mention: Dutch installation.
i18n is just lib, not lib64.
Yes, that did it. Aurelien, please don't put me on the wrong foot again, I've got already a bad leg.;) Connected filezill to my own webspae, works OK.
Whiteboard: (none) => MGA8-64-OK
(In reply to Herman Viaene from comment #10) > Yes, that did it. > Aurelien, please don't put me on the wrong foot again, I've got already a > bad leg.;) > Connected filezill to my own webspae, works OK. Oups sorry.
Validating. Advisory in Comment 5.
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => advisoryCVE: (none) => CVE-2020-14002
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2021-0380.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED