Debian Bug report logs -
#719070
filezilla: CVE-2013-4206 CVE-2013-4207 CVE-2013-4208
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Thu, 8 Aug 2013 08:39:02 UTC
Severity: grave
Tags: patch, security, upstream
Fixed in version filezilla/3.7.3-1
Done: Adrien Cunin <adri2000@ubuntu.com>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Adrien Cunin <adri2000@ubuntu.com>:
Bug#719070; Package filezilla.
(Thu, 08 Aug 2013 08:39:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Adrien Cunin <adri2000@ubuntu.com>.
(Thu, 08 Aug 2013 08:39:06 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: filezilla
Severity: grave
Tags: security upstream patch
Hi,
the following vulnerabilities were published for filezilla.
CVE-2013-4206[0]:
buffer underrun in modmul can corrupt the heap
CVE-2013-4207[1]:
non-coprime values in DSA signatures can cause buffer overflow in modular inverse
CVE-2013-4208[2]:
Private keys left in memory after being used by PuTTY tools
These three more CVEs are also fixed in newest upstream version of filezilla
(embedding putty source)[3].
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] http://security-tracker.debian.org/tracker/CVE-2013-4206
[1] http://security-tracker.debian.org/tracker/CVE-2013-4207
[2] http://security-tracker.debian.org/tracker/CVE-2013-4208
[3] https://filezilla-project.org/
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
Information forwarded
to debian-bugs-dist@lists.debian.org, Adrien Cunin <adri2000@ubuntu.com>:
Bug#719070; Package filezilla.
(Sat, 07 Sep 2013 04:57:07 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Adrien Cunin <adri2000@ubuntu.com>.
(Sat, 07 Sep 2013 04:57:07 GMT) (full text, mbox, link).
Message #10 received at 719070@bugs.debian.org (full text, mbox, reply):
Hi
Any news on #719070 and #718800? Could you prepare new upstream
version for unstable which includes these fixes?
Regards,
Salvatore
Reply sent
to Adrien Cunin <adri2000@ubuntu.com>:
You have taken responsibility.
(Wed, 11 Sep 2013 10:21:12 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Wed, 11 Sep 2013 10:21:12 GMT) (full text, mbox, link).
Message #15 received at 719070-close@bugs.debian.org (full text, mbox, reply):
Source: filezilla
Source-Version: 3.7.3-1
We believe that the bug you reported is fixed in the latest version of
filezilla, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 719070@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Adrien Cunin <adri2000@ubuntu.com> (supplier of updated filezilla package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Tue, 27 Aug 2013 11:47:04 +0200
Source: filezilla
Binary: filezilla filezilla-common
Architecture: source amd64 all
Version: 3.7.3-1
Distribution: unstable
Urgency: low
Maintainer: Adrien Cunin <adri2000@ubuntu.com>
Changed-By: Adrien Cunin <adri2000@ubuntu.com>
Description:
filezilla - Full-featured graphical FTP/FTPS/SFTP client
filezilla-common - Architecture independent files for filezilla
Closes: 718800 719070
Changes:
filezilla (3.7.3-1) unstable; urgency=low
.
* New upstream release, fixing the following PuTTY security vulnerabilities:
- CVE-2013-4852 (Closes: #718800)
- CVE-2013-4206, CVE-2013-4207, CVE-2013-4208 (Closes: #719070)
Checksums-Sha1:
7647d5e805101d5a2605686edc07c6588f1bff3b 2122 filezilla_3.7.3-1.dsc
34c3dd1943816a916c54e49cbbea51c97ef3f583 3682494 filezilla_3.7.3.orig.tar.bz2
2d0f04e7d5b4a2a2b143fa0b8e2b5e27661c67d7 8115 filezilla_3.7.3-1.debian.tar.gz
58dc41e2af68d548c840e209544dbb447d4f85bd 968056 filezilla_3.7.3-1_amd64.deb
d5df991836a12a895ca1d39249663fac579d7b9b 1824352 filezilla-common_3.7.3-1_all.deb
Checksums-Sha256:
4f455193f7304014da921705cef7f1e8ae53217412f55e118ab3976f62f4bdae 2122 filezilla_3.7.3-1.dsc
2b012970a6033d8ffd4629b1d57b50ace62cd3750efad70001109f25e520c042 3682494 filezilla_3.7.3.orig.tar.bz2
b58024b61b4423d25d474fcc381fd3ea3875ec26d28a3ea51c3192014c05fcf2 8115 filezilla_3.7.3-1.debian.tar.gz
78309b61c9fa9808d360ae235c3f8b47205e8f36d840adb20551c0fa334090be 968056 filezilla_3.7.3-1_amd64.deb
2eceec25d4ae57bd7bd6937b7e091699f56bf57b37fc62d85abbaad8089df134 1824352 filezilla-common_3.7.3-1_all.deb
Files:
b14fb3f7177b689800e2e5c391bd1c6a 2122 net optional filezilla_3.7.3-1.dsc
df7828739a852ac3adbc1c010303115d 3682494 net optional filezilla_3.7.3.orig.tar.bz2
4098f7e64b5531d519fcdb526e8c1d50 8115 net optional filezilla_3.7.3-1.debian.tar.gz
a0408323e8b786e6b340464cdbe070a8 968056 net optional filezilla_3.7.3-1_amd64.deb
5175665e39fbbd6be5f654e94e3f93c0 1824352 net optional filezilla-common_3.7.3-1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (GNU/Linux)
iQIcBAEBAgAGBQJSMD+1AAoJEGEbqVCLeKXCJbcQAJgUOapktnSUaU/cnXjD0WiX
yBkPYEPxiDr/upqvNg1dGLcR9ISiRi5UVknCDQ+tyDrTAirFN6mTW7MGXFURePcS
2ukf0rmCqfCG7XL3BjLOpRK1IJof5ngSLtnoVg49x88qqVeJorj55O2jsHeX/rej
C4gsjJby7ZBHqQuWLnr6MeD5mb4RKyyal6Gz/MTl/wWnqvBzVuLlJgOAEKxYBMv2
0xQYfNl8bcp4AyrGnr8O5A2IJPmBTcXaimgK+TCSb9VIu6yS61sSnOu+LzVhVPTP
HklGKAsQH7ZUz/WQDMrv9p9oe2wJcupG+/RUgNDND8hzHhHKZoKUoqv6IJO4qB7G
9bSCtP2Y38WWauzvN3DclXKRjSBH+Be36Le63h++SwW/FeCkRXQle4Rd3cm7IhwV
SIddjcIaX62J/slEgSTnjq8i8mgLLBTGwtuxa5wZVAWheBmOIOQgN7m1ajHOqwdJ
KX8qqSxsk1Xp6KdtnASUfiPT6GgaHoJXc7jP91PcqJT/sBN5HhN2Io4CeYfBQegz
EV1TC56N/cUCDlyXY+1cY9wKYN1aEmQZ670e5StlUq/ZF9/v6jiTrSbpVnDd4x4i
cOxrkVDq3lJeks0QwL8fRlI5ZBaMTsYO2mSdjoiHq9Kl19X+e975e1zE/WRhnt5v
J0Saiyu2eb+4IU+Zu0x4
=s38Z
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sun, 26 Apr 2015 07:49:33 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 19:25:58 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon