See the advisory  for details referring to putty commit .
AFAICS filezilla embedding putty in vulnerable version is used in
build for fzsftp. See  for the corresponding bugreport for putty
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
In summary, filezilla is also affected by CVE-2013-4852. Nothing from upstream yet.
Upstream released 3.7.2 to address the vulnerability, I just added it to portage
Arches, please test and mark stable =net-ftp/filezilla-3.7.2, thanks!
Special test: if anyone has a system with gnutls-2.x, a FTPES server with TLS to test filezilla against, it would be great (to confirm gnutls-3.x is not needed anymore for this case, see #431404)
If not, this should not block stabilization (I can add a warning for it in the ebuild)
Additional CVEs came in the wake of this one: CVE-2013-4206, CVE-2013-4207, CVE-2013-4208
filezilla-3.7.3 was released to address these (just added to tree), should we stabilize it in this bug or start a new one? (sorry arches for the double stabilization)
If those CVEs were released as a group, please file a separate bug. GLSA request filed for this one.
This issue was resolved and addressed in
GLSA 201309-08 at http://security.gentoo.org/glsa/glsa-201309-08.xml
by GLSA coordinator Chris Reffett (creffett).