From ${URL}: See the advisory [1] for details referring to putty commit [2]. AFAICS filezilla embedding putty in vulnerable version is used in build for fzsftp. See [3] for the corresponding bugreport for putty itself. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] http://security-tracker.debian.org/tracker/CVE-2013-4852 [1] http://www.search-lab.hu/advisories/secadv-20130722 [2] http://svn.tartarus.org/sgt?view=revision&sortby=date&revision=9896 [3] http://bugs.debian.org/718779 In summary, filezilla is also affected by CVE-2013-4852. Nothing from upstream yet.
Upstream released 3.7.2 to address the vulnerability, I just added it to portage Arches, please test and mark stable =net-ftp/filezilla-3.7.2, thanks! Special test: if anyone has a system with gnutls-2.x, a FTPES server with TLS to test filezilla against, it would be great (to confirm gnutls-3.x is not needed anymore for this case, see #431404) If not, this should not block stabilization (I can add a warning for it in the ebuild)
amd64 stable
sparc stable
ppc stable
x86 stable
Additional CVEs came in the wake of this one: CVE-2013-4206, CVE-2013-4207, CVE-2013-4208 filezilla-3.7.3 was released to address these (just added to tree), should we stabilize it in this bug or start a new one? (sorry arches for the double stabilization)
If those CVEs were released as a group, please file a separate bug. GLSA request filed for this one.
This issue was resolved and addressed in GLSA 201309-08 at http://security.gentoo.org/glsa/glsa-201309-08.xml by GLSA coordinator Chris Reffett (creffett).