Summary: | <net-ftp/filezilla-3.7.2 : SSH Handshake Integer Overflow Vulnerabilities (CVE-2013-4852) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Chris Reffett (RETIRED) <creffett> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | net-ftp, voyageur |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=718800 | ||
Whiteboard: | B2 [glsa] | ||
Package list: | Runtime testing required: | --- |
Description
Chris Reffett (RETIRED)
2013-08-05 23:26:54 UTC
Upstream released 3.7.2 to address the vulnerability, I just added it to portage Arches, please test and mark stable =net-ftp/filezilla-3.7.2, thanks! Special test: if anyone has a system with gnutls-2.x, a FTPES server with TLS to test filezilla against, it would be great (to confirm gnutls-3.x is not needed anymore for this case, see #431404) If not, this should not block stabilization (I can add a warning for it in the ebuild) amd64 stable sparc stable ppc stable x86 stable Additional CVEs came in the wake of this one: CVE-2013-4206, CVE-2013-4207, CVE-2013-4208 filezilla-3.7.3 was released to address these (just added to tree), should we stabilize it in this bug or start a new one? (sorry arches for the double stabilization) If those CVEs were released as a group, please file a separate bug. GLSA request filed for this one. This issue was resolved and addressed in GLSA 201309-08 at http://security.gentoo.org/glsa/glsa-201309-08.xml by GLSA coordinator Chris Reffett (creffett). |