Advisories » MGASA-2016-0118

Updated filezilla packages fix security vulnerability

Publication date: 25 Mar 2016
Modification date: 25 Mar 2016
Type: security
Affected Mageia releases : 5
CVE: CVE-2016-2563

Description

Many versions of PSCP in PuTTY prior to 0.67 have a stack corruption
vulnerability in their treatment of the 'sink' direction (i.e. downloading
from server to client) of the old-style SCP protocol. In order for this
vulnerability to be exploited, the user must connect to a malicious server
and attempt to download any file (CVE-2016-2563).

FileZilla was vulnerable to this issue as it bundles a copy of PuTTY.  The
filezilla package has been updated to version 3.16.1, which fixes this
issue and has many other fixes and enhancements.
                

References

• https://bugs.mageia.org/show_bug.cgi?id=17943
• http://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/vuln-pscp-sink-sscanf.html
• http://www.chiark.greenend.org.uk/~sgtatham/putty/changes.html
• https://filezilla-project.org/
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2563

SRPMS

5/core

• filezilla-3.16.1-1.mga5
• libfilezilla-0.4.0.1-1.mga5
• pugixml-1.7-1.mga5