Opened 5 years ago

Closed 3 years ago

#9312 closed Feature request (fixed)

Upgrade Urgently Filezilla to GnuTLS 3.1.22

Reported by: roy4 Owned by:
Priority: critical Component: FileZilla Client
Keywords: Cc:
Component version: Operating system type: Windows
Operating system version:


Current version of Filezilla is using GnuTLS 3.1.11, and GnuTLS is already at 3.1.21 (old branch... the new is at 3.2.11) that fixes several bugs and security problems... please upgrade Filezilla.

Change History (4)

comment:1 Changed 5 years ago by roy4

Priority: highcritical
Summary: Upgrade Filezilla to GnuTLS 3.1.21Upgrade Urgently Filezilla to GnuTLS 3.1.22

Several important and critical security problems ( ) are present in GnuTLS, that are solved in the latest version 3.1.22, please upgrade ASAP

comment:2 Changed 5 years ago by Tim Kosse

GnuTLS will be updated in the next version of FileZilla.

I'm not sure these GnuTLS vulnerabilities affect FileZilla as much as other TLS-enabled programs, as FileZilla follows the TOFU approach, prompting the user to manually verify each unknown certificate [*].

These checks are done by FileZilla on top the checks performed by GnuTLS. Trusted certificates need to match byte-by-byte and trust is bound to the initial hostname and port used to connect.

[*] I don't trust the X.509 trust model.

comment:3 Changed 5 years ago by roy4

I don't know how the Filezilla is using GnuTLS, but for sure it can't make bad to keep it update.

With the auditing gnutls taking place ( it is for sure good idea to keep a eye on GnuTLS web site, because people are probably going to find more holes.

I also don't like the X.509 trust model... but as far as I can see, is not possible for now to use a better model... a ideal one is everyone generate their own... and use some kind of harden and secure version of DNS to verity the validity or something like that.

comment:4 Changed 3 years ago by Tim Kosse

Resolution: fixed
Status: newclosed
Note: See TracTickets for help on using tickets.