Ubuntu
filezilla package

Please update filezilla to 3.1.0.1

Bug #251950 reported by Dylan Aïssi
262
This bug affects 1 person
Affects Status Importance Assigned to Milestone
filezilla (Ubuntu)
Fix Released
Wishlist
Adrien Cunin

Bug Description

Binary package hint: filezilla

FileZilla 3.1.0.1 fixes a vulnerability regarding the way some errors are handled on SSL/TLS secured data transfers.

If the data connection of a transfer gets closed, FileZilla did not check if the server performed an orderly TLS shutdown.
Impact

An attacker could send spoofed FIN packets to the client. Even though GnuTLS detects this with GNUTLS_E_UNEXPECTED_PACKET_LENGTH, FileZilla did not record a transfer failure in all cases.

Unfortunately not all servers perform an orderly SSL/TLS shutdown. Since this cannot be distinguished from an attack, FileZilla will not be able to download listings or files from such servers.
Affected versions

All versions prior to 3.1.0.1 are affected. This vulnerability has been fixed in 3.1.0.1

Adrien Cunin (adri2000)
Changed in filezilla:
assignee: nobody → adri2000
status: New → Confirmed
Revision history for this message
Adrien Cunin (adri2000) wrote :

I'll update the package in intrepid. FYI I will also do what is necessary to prepare an eventual sync of the package with Debian.
After talking with upstream about the security issue, the issue is that an attacker could make a transfer fail (sending some special packets) and filezilla wouldn't notice it and whould show the transfer as successful. I do not currently plan to do any -security upload for that.

Changed in filezilla:
importance: Undecided → Wishlist
status: Confirmed → In Progress
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package filezilla - 3.1.0.1-0ubuntu1

---------------
filezilla (3.1.0.1-0ubuntu1) intrepid; urgency=low

  * New upstream release (LP: #251950), new features since 3.0.11.1 include:
     - IPv6 support
     - SOCKS5 and HTTP/1.1 proxy support
  * debian/control: updated package description with the new features

 -- Adrien Cunin <email address hidden> Sat, 09 Aug 2008 18:54:24 +0200

Changed in filezilla:
status: In Progress → Fix Released
Revision history for this message
Linard Verstraete (linardv) wrote :

Filezilla release 3.1.0.1 should also be available in hardy as well, since it's a LTS (and people will be using it a long time) and this is a security advisory!
Therefor I have set the status back to Confirmed. If there is (are) good argument(s) to not update the hardy-version then you can set it back to "Fix Released".

Changed in filezilla:
status: Fix Released → Confirmed
Revision history for this message
Adrien Cunin (adri2000) wrote :

The one good reason to not put 3.1.0.1 in hardy is that hardy is released and frozen, and doesn't accept new upstream releases (there are exceptions, but this one wouldn't be a good candidate anyway).
If the security issue concerns you, please open a separate bug report, and someone (you?) may be willing to patch the hardy package to fix it. hardy-security would be the proper place for such an upload.

Changed in filezilla:
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.