Upgrade Urgently Filezilla to GnuTLS 3.1.22

[roy4]

Current version of Filezilla 3.7.4.1 is using GnuTLS 3.1.11, and GnuTLS is already at 3.1.21 (old branch... the new is at 3.2.11) that fixes several bugs and security problems... please upgrade Filezilla.

[roy4]

Several important and critical security problems ( ​http://www.gnutls.org/security.html ) are present in GnuTLS, that are solved in the latest version 3.1.22, please upgrade ASAP

[Tim Kosse]

GnuTLS will be updated in the next version of FileZilla.

I'm not sure these GnuTLS vulnerabilities affect FileZilla as much as other TLS-enabled programs, as FileZilla follows the TOFU approach, prompting the user to manually verify each unknown certificate [*].

These checks are done by FileZilla on top the checks performed by GnuTLS. Trusted certificates need to match byte-by-byte and trust is bound to the initial hostname and port used to connect.

[*] I don't trust the X.509 trust model.

[roy4]

I don't know how the Filezilla is using GnuTLS, but for sure it can't make bad to keep it update.

With the auditing gnutls taking place (​http://article.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/7361) it is for sure good idea to keep a eye on GnuTLS web site, because people are probably going to find more holes.

I also don't like the X.509 trust model... but as far as I can see, is not possible for now to use a better model... a ideal one is everyone generate their own... and use some kind of harden and secure version of DNS to verity the validity or something like that.