Date: Wed, 19 Feb 2014 04:23:02 GMT From: Matthew Rezny <matthew@reztek.cz> To: freebsd-gnats-submit@FreeBSD.org Subject: ports/186885: ftp/filezilla hasn't been updated in a year, contains vulnerabilities Message-ID: <201402190423.s1J4N2c4044960@cgiserv.freebsd.org> Resent-Message-ID: <201402190430.s1J4U0ek049154@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 186885 >Category: ports >Synopsis: ftp/filezilla hasn't been updated in a year, contains vulnerabilities >Confidential: no >Severity: non-critical >Priority: low >Responsible: freebsd-ports-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: update >Submitter-Id: current-users >Arrival-Date: Wed Feb 19 04:30:00 UTC 2014 >Closed-Date: >Last-Modified: >Originator: Matthew Rezny >Release: 10.0-STABLE >Organization: RezTek, s.r.o. >Environment: FreeBSD desktop.reztek 10.0-STABLE FreeBSD 10.0-STABLE #0 r261871: Mon Feb 17 08:33:23 CET 2014 root@desktop.reztek:/usr/obj/usr/src/sys/DESKTOP amd64 >Description: The FileZilla port has not been updated in a year. The version we have in ports contains vulnerabilities. Copied from the release notes: 3.7.3 (2013-08-07) Fixed vulnerabilities: Merge further fixes from PuTTY to address CVE-2013-4206, CVE-2013-4207, CVE-2013-4208 3.7.2 (2013-08-06) Fixed vulnerabilities: Apply a fix for a security vulnerability in PuTTY as used in FileZilla to handle SFTP. See CVE-2013-4852 for reference. Fortunately, this port uses no patches and the current version builds clean. Thus, updating should only be a matter of changing the version. I noticed the port has NO_STAGE set so maybe it would be good to stagify this port while it's getting updated. >How-To-Repeat: CVE-2013-4206, CVE-2013-4207, CVE-2013-4208, CVE-2013-4852 >Fix: Index: Makefile =================================================================== --- Makefile (revision 344637) +++ Makefile (working copy) @@ -2,8 +2,7 @@ # $FreeBSD$ PORTNAME= filezilla -PORTVERSION= 3.6.0.2 -PORTREVISION= 1 +PORTVERSION= 3.7.4.1 CATEGORIES= ftp MASTER_SITES= SF/${PORTNAME}/FileZilla_Client/${PORTVERSION} DISTNAME= FileZilla_${PORTVERSION}_src Index: distinfo =================================================================== --- distinfo (revision 344637) +++ distinfo (working copy) @@ -1,2 +1,2 @@ -SHA256 (FileZilla_3.6.0.2_src.tar.bz2) = 536a5e387f371272b5bcbf51b08a6df07508097b79f496432141c4207098c606 -SIZE (FileZilla_3.6.0.2_src.tar.bz2) = 3540542 +SHA256 (FileZilla_3.7.4.1_src.tar.bz2) = 8be46f472c12d412c58b5a0b1be751c64bc5e7fceaa6b9170f8edbc7dbfa64a9 +SIZE (FileZilla_3.7.4.1_src.tar.bz2) = 3709078 >Release-Note: >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201402190423.s1J4N2c4044960>