Please update filezilla to 3.1.0.1
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
filezilla (Ubuntu) |
Fix Released
|
Wishlist
|
Adrien Cunin |
Bug Description
Binary package hint: filezilla
FileZilla 3.1.0.1 fixes a vulnerability regarding the way some errors are handled on SSL/TLS secured data transfers.
If the data connection of a transfer gets closed, FileZilla did not check if the server performed an orderly TLS shutdown.
Impact
An attacker could send spoofed FIN packets to the client. Even though GnuTLS detects this with GNUTLS_
Unfortunately not all servers perform an orderly SSL/TLS shutdown. Since this cannot be distinguished from an attack, FileZilla will not be able to download listings or files from such servers.
Affected versions
All versions prior to 3.1.0.1 are affected. This vulnerability has been fixed in 3.1.0.1
Changed in filezilla: | |
assignee: | nobody → adri2000 |
status: | New → Confirmed |
I'll update the package in intrepid. FYI I will also do what is necessary to prepare an eventual sync of the package with Debian.
After talking with upstream about the security issue, the issue is that an attacker could make a transfer fail (sending some special packets) and filezilla wouldn't notice it and whould show the transfer as successful. I do not currently plan to do any -security upload for that.