openSUSE Security Update : filezilla (openSUSE-SU-2013:1347-1)

This script is Copyright (C) 2014-2016 Tenable Network Security, Inc.


Synopsis :

The remote openSUSE host is missing a security update.

Description :

FileZilla was updated to version 3.7.3 to add various features, fix
bugs and also security issues in the embedded putty ssh client.

Full changelog: https://filezilla-project.org/changelog.php

- Noteworthy changes :

- Apply a fix for a security vulnerability in PuTTY as
used in FileZilla to handle SFTP. See CVE-2013-4852 for
reference.

- Merge further fixes from PuTTY to address CVE-2013-4206,
CVE-2013-4207, CVE-2013-4208

- Version bump to 3.7.0.1

- Fix issues with bundled gnutls

- Update translations

- Update to version 3.7.0. Changes since 3.6.0.2 :

- Show total transfer speed as tooltip over the transfer
indicators

- List supported protocols in tooltip of host field in
quickconnect bar

- Use TLS instead of the deprecated term SSL

- Reworded text when saving of passwords is disabled, do
not refer to kiosk mode

- Improved usability of Update page in settings dialog

- Improve SFTP performance

- When navigating to the parent directory, highlight the
former child

- When editing files, use high priority for the transfers

- Add label to size conditions in filter conditions dialog
indicating that the unit is bytes

- Ignore drag&drop operations where source and target are
identical and clarify the wording in some drop error
cases

- Trim whitespace from the entered port numbers

- Slightly darker color of inactive tabs

- Ignore .. item in the file list context menus if
multiple items are selected

- Display TLS version and key exchange algorithm in
certificate and encryption details dialog for FTP over
TLS connections.

- Fix handling of remote paths containing double-quotes

- Fix crash when opening local directories in Explorer if
the name contained characters not representable in the
locale's narrow-width character set.

- Fix a memory leak in the host key verification dialog
for SFTP

- Fix drag-scrolling in file lists with very low height

- Don't attempt writing XML files upon loading them

- Improve handling of legacy DDE file associations

- Fix handling of HTTPS in the auto updater in case a
mirror redirects to HTTPS

- Update to version 3.6.0.2. Changes since 3.5.3 :

- 3.6.0.2 (2012-11-29)

- Fix problems with stalling FTP over TLS uploads

- MSW: Minor performance increase listing local files

- 3.6.0.1 (2012-11-18)

- Fix problems with TLS cipher selection, including a
bugfix for GnuTLS

- Fix a crash on shutdown

- Add log message for servers not using UTF-8

- Small performance and memory optimizations getting file
types

- Improve formatting of transfer speeds

- 3.6.0 (2012-11-10)

- Fix a crash introduced since 3.5.3

- IPv6-only hosts should no longer cause a crash in the
network configuration wizard

See also :

http://lists.opensuse.org/opensuse-updates/2013-08/msg00035.html
https://bugzilla.novell.com/show_bug.cgi?id=834202
https://filezilla-project.org/changelog.php

Solution :

Update the affected filezilla packages.

Risk factor :

Medium / CVSS Base Score : 6.8
(CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P)
CVSS Temporal Score : 5.0
(CVSS2#E:U/RL:OF/RC:C)
Public Exploit Available : false

Family: SuSE Local Security Checks

Nessus Plugin ID: 75120 ()

Bugtraq ID:

CVE ID: CVE-2013-4206
CVE-2013-4207
CVE-2013-4208
CVE-2013-4852

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now