*** This bug is a security vulnerability ***
You have been subscribed to a public security bug by Jamie Strandboge
(jdstrand):
Binary package hint: filezilla
FileZilla 3.1.0.1 fixes a vulnerability regarding the way some errors
are handled on SSL/TLS secured data transfers.
If the data connection of a transfer gets closed, FileZilla did not check if
the server performed an orderly TLS shutdown.
Impact
An attacker could send spoofed FIN packets to the client. Even though
GnuTLS detects this with GNUTLS_E_UNEXPECTED_PACKET_LENGTH, FileZilla
did not record a transfer failure in all cases.
Unfortunately not all servers perform an orderly SSL/TLS shutdown. Since this
cannot be distinguished from an attack, FileZilla will not be able to download
listings or files from such servers.
Affected versions
All versions prior to 3.1.0.1 are affected. This vulnerability has been
fixed in 3.1.0.1
** Affects: filezilla (Ubuntu)
Importance: Undecided
Status: New
--
Please update filezilla to 3.1.0.1
https://bugs.launchpad.net/bugs/251950
You received this bug notification because you are a member of Ubuntu Bugs,
which is a direct subscriber.
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
