That CVE was announced here: https://www.openwall.com/lists/oss-security/2024/04/15/6 That vulnerability has been fixed in PuTTY 0.81 and FileZilla 3.67.0. Mageia 9 is also affected.
Status comment: (none) => Fixed upstream in PuTTY 0.81 and FileZilla 3.67.0CVE: (none) => CVE-2024-31497Whiteboard: (none) => MGA9TOOSource RPM: (none) => putty, filezilla
Assigning this to you, David, as you look to be the maintainer for both packages.
Assignee: bugsquad => geiger.david68210
Fixed both mga9 and Cauldron!
Version: Cauldron => 9Whiteboard: MGA9TOO => (none)
Assigning to QA, Packages in 9/Core/Updates_testing: ====================== filezilla-3.67.0-1.mga9 libfilezilla-devel-0.47.0-1.mga9 lib64filezilla-devel-0.47.0-1.mga9 libfilezilla43-0.47.0-1.mga9 lib64filezilla43-0.47.0-1.mga9 libfilezilla-i18n-0.47.0-1.mga9.noarch.rpm putty-0.81-1.mga9 From SRPMS: filezilla-3.67.0-1.mga9.src.rpm libfilezilla-0.47.0-1.mga9.src.rpm putty-0.81-1.mga9.src.rpm
Assignee: geiger.david68210 => qa-bugs
Keywords: (none) => advisory
LC_ALL=C urpmi --auto --auto-update medium "QA Testing (32-bit)" is up-to-date medium "QA Testing (64-bit)" is up-to-date medium "Core Release (distrib1)" is up-to-date medium "Core Updates (distrib3)" is up-to-date medium "Nonfree Release (distrib11)" is up-to-date medium "Nonfree Updates (distrib13)" is up-to-date medium "Tainted Release (distrib21)" is up-to-date medium "Tainted Updates (distrib23)" is up-to-date medium "Core 32bit Release (distrib31)" is up-to-date medium "Core 32bit Updates (distrib32)" is up-to-date medium "Nonfree 32bit Release (distrib36)" is up-to-date medium "Tainted 32bit Release (distrib41)" is up-to-date medium "Tainted 32bit Updates (distrib42)" is up-to-date medium "BDK-Free-x86_64" is up-to-date medium "BDK-Free-noarch" is up-to-date medium "BDK-NonFree-x86_64" is up-to-date RH mageia 9 x86_64 installing lib64filezilla43-0.47.0-1.mga9.x86_64.rpm filezilla-3.67.0-1.mga9.x86_64.rpm libfilezilla-i18n-0.47.0-1.mga9.noarch.rpm from //home/katnatek/qa-testing/x86_64 Preparing... ################################################################################################## 1/3: libfilezilla-i18n ################################################################################################## 2/3: lib64filezilla43 ################################################################################################## 3/3: filezilla ################################################################################################## 1/2: removing libfilezilla-i18n-0.45.0-1.mga9.noarch ################################################################################################## 2/2: removing filezilla-3.66.4-1.mga9.x86_64 ################################################################################################## LC_ALL=C urpmi putty installing putty-0.81-1.mga9.x86_64.rpm from //home/katnatek/qa-testing/x86_64 Preparing... ################################################################################################## 1/1: putty ################################################################################################## Use filezilla to connect to remote stp server, transfer file from and to remote server Use filezilla to connect to remote ftp server, transfer file from and to remote server Use putty to connect to remote ssh server Look good for me
Installed and tested filezilla without issue. Tested sftp (using ssh keys), ftps, and ftp. Tested connecting to multiple servers. No issues found. I thing I noticed is that I have several lib64filezilla* packages of different versions installed (see list below). These packages are not required by any other packages and can be removed. Shouldn't the older packages be replaced by the newer one instead of just being left installed? System: Mageia 9, x86_64, Plasma DE, AMD Ryzen 5 5600G with Radeon Graphics using the amdgpu driver. $ uname -a Linux jupiter 6.6.22-desktop-1.mga9 #1 SMP PREEMPT_DYNAMIC Sun Mar 17 18:04:51 UTC 2024 x86_64 GNU/Linux $ rpm -qa | grep filezilla lib64filezilla36-0.42.2-1.mga9 lib64filezilla41-0.45.0-1.mga9 libfilezilla-i18n-0.47.0-1.mga9 lib64filezilla43-0.47.0-1.mga9 filezilla-3.67.0-1.mga9
CC: (none) => mageia
They aren't removed automatically. You need to run urpme --auto-orphans.
(In reply to David Walser from comment #6) > They aren't removed automatically. You need to run urpme --auto-orphans. But these libraries are used by only by older filezilla packages so what is the point in keeping the older libraries and not just updating them like most others?
urpme --auto-orphans is what you need to run to not keep them, as they're no longer needed. They have already been updated.
(In reply to David Walser from comment #8) > urpme --auto-orphans is what you need to run to not keep them, as they're no > longer needed. They have already been updated. Yes, I understood comment 6, but my question is why aren't those libraries replaced by the newer version in the first place? What is the point of keeping the older libraries that are only used by older filezilla package that are no longer installed?
Generally speaking, when a library major number changes, it's not compatible with the older versions, so it cannot be used as a drop-in replacement, and it wouldn't be appropriate for urpmi to just remove the old one, as that may break software that is built against the old one. For rpms that depend on the old one, urpm* will know about that, and if there aren't any, urpme --auto-orphans will allow you to remove the older libraries and other packages that are no longer required by other packages. It cannot know about non-rpm software that may be using the older libraries, so you have to run the urpme command when you know that it's safe to do so.
Filezilla MGA9-64, Plasma The following 12 packages are going to be installed: - filezilla-3.67.0-1.mga9.x86_64 - gspell-i18n-1.12.1-1.mga9.x86_64 - lib64filezilla43-0.47.0-1.mga9.x86_64 - lib64gspell1_2-1.12.1-1.mga9.x86_64 - lib64wx_baseu3.2_0-3.2.1-3.mga9.x86_64 - lib64wx_baseu_xml3.2_0-3.2.1-3.mga9.x86_64 - lib64wx_gtk3u_aui3.2_0-3.2.1-3.mga9.x86_64 - lib64wx_gtk3u_core3.2_0-3.2.1-3.mga9.x86_64 - lib64wx_gtk3u_html3.2_0-3.2.1-3.mga9.x86_64 - lib64wx_gtk3u_xrc3.2_0-3.2.1-3.mga9.x86_64 - libfilezilla-i18n-0.47.0-1.mga9.noarch - wxgtk3.2-3.2.1-3.mga9.x86_64 -- this is an upgrade system is connecting fine downloaded a file working as expected
CC: (none) => brtians1
Putty MGA9-32, Mate Installed Connected via ssh to remote server, no issues.
LC_ALL=C urpmi --auto --auto-update medium "QA Testing (32-bit)" is up-to-date medium "Core Release (distrib1)" is up-to-date https://mirror.math.princeton.edu/pub/mageia/distrib/9/i586/media/core/updates/media_info/20240419-010600-synthesis.hdlist.cz updated medium "Core Updates (distrib3)" medium "Nonfree Release (distrib11)" is up-to-date medium "Nonfree Updates (distrib13)" is up-to-date medium "Tainted Release (distrib21)" is up-to-date medium "Tainted Updates (distrib23)" is up-to-date installing libfilezilla-i18n-0.47.0-1.mga9.noarch.rpm libfilezilla43-0.47.0-1.mga9.i586.rpm filezilla-3.67.0-1.mga9.i586.rpm from //home/katnatek/qa-testing/i586 Preparing... ################################################################ 1/3: libfilezilla-i18n ################################################################ 2/3: libfilezilla43 ################################################################ 3/3: filezilla ################################################################ 1/2: removing filezilla-3.66.4-1.mga9.i586 ################################################################ 2/2: removing libfilezilla-i18n-0.45.0-1.mga9.noarch ################################################################ Connect to remote server by sftp OK Connect to remote server by ftp OK
CC: (none) => andrewsfarm
Source RPM: putty, filezilla => putty, filezilla, libfilezillaWhiteboard: (none) => MGA9-64-OK,MGA9-32-OK
Validating.
CC: (none) => sysadmin-bugsKeywords: (none) => validated_update
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2024-0140.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED