Ubuntu
filezilla package

CVE-2023-48795 - Terrapin, embedded putty in source tree

Bug #2047669 reported by Phil Wyett
258
This bug affects 1 person
Affects Status Importance Assigned to Milestone
filezilla (Ubuntu)
Fix Released
Undecided
Paulo Flabiano Smorigo

Bug Description

CVE-2023-48795 - Terrapin, embedded putty in source tree,

Filezilla contains putty embedded within the source code tree, so is affected by Terrapin.

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-48795
https://ubuntu.com/security/CVE-2023-48795
https://security-tracker.debian.org/tracker/CVE-2023-48795

Upstream was fixed in version: 3.66.4

Upstream commits:

https://svn.filezilla-project.org/filezilla?view=revision&revision=11047
https://svn.filezilla-project.org/filezilla?view=revision&revision=11048
https://svn.filezilla-project.org/filezilla?view=revision&revision=11049
https://svn.filezilla-project.org/filezilla?view=revision&revision=11051

For older revisions of filezilla, the putty define macro 'PTRLEN_DECL_LITERAL' must also be added to resolve build failures.

Tags: focal jammy

CVE References

Revision history for this message
Phil Wyett (kathenas) wrote :

debdiff for jammy

Revision history for this message
Phil Wyett (kathenas) wrote :

debdiff for focal

Revision history for this message
Phil Wyett (kathenas) wrote :

I am the Debian maintainer for the filezilla package and I am happy to answer any questions.

Attached debdiffs are for current and previous LTS only. I have no time to do non LTS releases for you, as you are aware Debian contributors are often very busy. :-)

information type: Private Security → Public Security
information type: Public Security → Public
information type: Public → Public Security
Paulo Flabiano Smorigo (pfsmorigo)
Changed in filezilla (Ubuntu):
assignee: nobody → Paulo Flabiano Smorigo (pfsmorigo)
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package filezilla - 3.65.0-3ubuntu0.1

---------------
filezilla (3.65.0-3ubuntu0.1) mantic-security; urgency=medium

  * SECURITY UPDATE: Terrapin Vulnerability
    - debian/patches/CVE-2023-48795.patch: implement "strict key exchange"
      in PROTOCOL, ssh.h, ssh2bpp.c, sshbpp.h, ssh2transport.c, ssh2transport.h,
      sshcommon.c. (LP: #2047669)
    - CVE-2023-48795

 -- Paulo Flabiano Smorigo <email address hidden> Tue, 09 Jan 2024 15:49:22 -0300

Changed in filezilla (Ubuntu):
status: New → Fix Released
Revision history for this message
Seth Arnold (seth-arnold) wrote :

Thanks, Phil!

To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.