Opened 9 years ago
Closed 7 years ago
#9312 closed Feature request (fixed)
Upgrade Urgently Filezilla to GnuTLS 3.1.22
|Reported by:||roy4||Owned by:|
|Component version:||Operating system type:||Windows|
|Operating system version:|
Current version of Filezilla 22.214.171.124 is using GnuTLS 3.1.11, and GnuTLS is already at 3.1.21 (old branch... the new is at 3.2.11) that fixes several bugs and security problems... please upgrade Filezilla.
Change History (4)
comment:1 by , 9 years ago
|Priority:||high → critical|
|Summary:||Upgrade Filezilla to GnuTLS 3.1.21 → Upgrade Urgently Filezilla to GnuTLS 3.1.22|
comment:2 by , 9 years ago
GnuTLS will be updated in the next version of FileZilla.
I'm not sure these GnuTLS vulnerabilities affect FileZilla as much as other TLS-enabled programs, as FileZilla follows the TOFU approach, prompting the user to manually verify each unknown certificate [*].
These checks are done by FileZilla on top the checks performed by GnuTLS. Trusted certificates need to match byte-by-byte and trust is bound to the initial hostname and port used to connect.
[*] I don't trust the X.509 trust model.
comment:3 by , 9 years ago
I don't know how the Filezilla is using GnuTLS, but for sure it can't make bad to keep it update.
With the auditing gnutls taking place (http://article.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/7361) it is for sure good idea to keep a eye on GnuTLS web site, because people are probably going to find more holes.
I also don't like the X.509 trust model... but as far as I can see, is not possible for now to use a better model... a ideal one is everyone generate their own... and use some kind of harden and secure version of DNS to verity the validity or something like that.
comment:4 by , 7 years ago
|Status:||new → closed|
Several important and critical security problems ( http://www.gnutls.org/security.html ) are present in GnuTLS, that are solved in the latest version 3.1.22, please upgrade ASAP