openSUSE Security Update: filezilla: 3.7.3 version and security bugfix update ______________________________________________________________________________ Announcement ID: openSUSE-SU-2013:1347-1 Rating: moderate References: #834202 Cross-References: CVE-2013-4206 CVE-2013-4207 CVE-2013-4208 CVE-2013-4852 Affected Products: openSUSE 12.3 openSUSE 12.2 ______________________________________________________________________________ An update that fixes four vulnerabilities is now available. Description: FileZilla was updated to version 3.7.3 to add various features, fix bugs and also security issues in the embedded putty ssh client. Full changelog: https://filezilla-project.org/changelog.php - Noteworthy changes: * Apply a fix for a security vulnerability in PuTTY as used in FileZilla to handle SFTP. See CVE-2013-4852 for reference. * Merge further fixes from PuTTY to address CVE-2013-4206, CVE-2013-4207, CVE-2013-4208 - Version bump to 3.7.0.1 - Fix issues with bundled gnutls - Update translations - Update to version 3.7.0. Changes since 3.6.0.2: - Show total transfer speed as tooltip over the transfer indicators - List supported protocols in tooltip of host field in quickconnect bar - Use TLS instead of the deprecated term SSL - Reworded text when saving of passwords is disabled, do not refer to kiosk mode - Improved usability of Update page in settings dialog - Improve SFTP performance - When navigating to the parent directory, highlight the former child - When editing files, use high priority for the transfers - Add label to size conditions in filter conditions dialog indicating that the unit is bytes - Ignore drag&drop operations where source and target are identical and clarify the wording in some drop error cases - Trim whitespace from the entered port numbers - Slightly darker color of inactive tabs - Ignore .. item in the file list context menus if multiple items are selected - Display TLS version and key exchange algorithm in certificate and encryption details dialog for FTP over TLS connections. - Fix handling of remote paths containing double-quotes - Fix crash when opening local directories in Explorer if the name contained characters not representable in the locale's narrow-width character set. - Fix a memory leak in the host key verification dialog for SFTP - Fix drag-scrolling in file lists with very low height - Don't attempt writing XML files upon loading them - Improve handling of legacy DDE file associations - Fix handling of HTTPS in the auto updater in case a mirror redirects to HTTPS - Update to version 3.6.0.2. Changes since 3.5.3: - 3.6.0.2 (2012-11-29) * Fix problems with stalling FTP over TLS uploads * MSW: Minor performance increase listing local files - 3.6.0.1 (2012-11-18) * Fix problems with TLS cipher selection, including a bugfix for GnuTLS * Fix a crash on shutdown * Add log message for servers not using UTF-8 * Small performance and memory optimizations getting file types * Improve formatting of transfer speeds - 3.6.0 (2012-11-10) * Fix a crash introduced since 3.5.3 * IPv6-only hosts should no longer cause a crash in the network configuration wizard Patch Instructions: To install this openSUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - openSUSE 12.3: zypper in -t patch openSUSE-2013-650 - openSUSE 12.2: zypper in -t patch openSUSE-2013-650 To bring your system up-to-date, use "zypper patch". Package List: - openSUSE 12.3 (i586 x86_64): filezilla-3.7.3-5.4.1 filezilla-debuginfo-3.7.3-5.4.1 filezilla-debugsource-3.7.3-5.4.1 - openSUSE 12.3 (noarch): filezilla-lang-3.7.3-5.4.1 - openSUSE 12.2 (i586 x86_64): filezilla-3.7.3-3.4.1 filezilla-debuginfo-3.7.3-3.4.1 filezilla-debugsource-3.7.3-3.4.1 - openSUSE 12.2 (noarch): filezilla-lang-3.7.3-3.4.1 References: http://support.novell.com/security/cve/CVE-2013-4206.html http://support.novell.com/security/cve/CVE-2013-4207.html http://support.novell.com/security/cve/CVE-2013-4208.html http://support.novell.com/security/cve/CVE-2013-4852.html https://bugzilla.novell.com/834202