Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 19 Feb 2014 04:23:02 GMT
From:      Matthew Rezny <matthew@reztek.cz>
To:        freebsd-gnats-submit@FreeBSD.org
Subject:   ports/186885: ftp/filezilla hasn't been updated in a year, contains vulnerabilities
Message-ID:  <201402190423.s1J4N2c4044960@cgiserv.freebsd.org>
Resent-Message-ID: <201402190430.s1J4U0ek049154@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help 

>Number:         186885
>Category:       ports
>Synopsis:       ftp/filezilla hasn't been updated in a year, contains vulnerabilities
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-ports-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          update
>Submitter-Id:   current-users
>Arrival-Date:   Wed Feb 19 04:30:00 UTC 2014
>Closed-Date:
>Last-Modified:
>Originator:     Matthew Rezny
>Release:        10.0-STABLE
>Organization:
RezTek, s.r.o.
>Environment:
FreeBSD desktop.reztek 10.0-STABLE FreeBSD 10.0-STABLE #0 r261871: Mon Feb 17 08:33:23 CET 2014     root@desktop.reztek:/usr/obj/usr/src/sys/DESKTOP  amd64

>Description:
The FileZilla port has not been updated in a year. The version we have in ports contains vulnerabilities. Copied from the release notes:

3.7.3 (2013-08-07)
Fixed vulnerabilities:

    Merge further fixes from PuTTY to address CVE-2013-4206, CVE-2013-4207, CVE-2013-4208

3.7.2 (2013-08-06)
Fixed vulnerabilities:

    Apply a fix for a security vulnerability in PuTTY as used in FileZilla to handle SFTP. See CVE-2013-4852 for reference.

Fortunately, this port uses no patches and the current version builds clean. Thus, updating should only be a matter of changing the version.

I noticed the port has NO_STAGE set so maybe it would be good to stagify this port while it's getting updated.
>How-To-Repeat:
CVE-2013-4206, CVE-2013-4207, CVE-2013-4208, CVE-2013-4852
>Fix:
Index: Makefile
===================================================================
--- Makefile    (revision 344637)
+++ Makefile    (working copy)
@@ -2,8 +2,7 @@
 # $FreeBSD$
 
 PORTNAME=      filezilla
-PORTVERSION=   3.6.0.2
-PORTREVISION=  1
+PORTVERSION=   3.7.4.1
 CATEGORIES=    ftp
 MASTER_SITES=  SF/${PORTNAME}/FileZilla_Client/${PORTVERSION}
 DISTNAME=      FileZilla_${PORTVERSION}_src
Index: distinfo
===================================================================
--- distinfo    (revision 344637)
+++ distinfo    (working copy)
@@ -1,2 +1,2 @@
-SHA256 (FileZilla_3.6.0.2_src.tar.bz2) = 536a5e387f371272b5bcbf51b08a6df07508097b79f496432141c4207098c606
-SIZE (FileZilla_3.6.0.2_src.tar.bz2) = 3540542
+SHA256 (FileZilla_3.7.4.1_src.tar.bz2) = 8be46f472c12d412c58b5a0b1be751c64bc5e7fceaa6b9170f8edbc7dbfa64a9
+SIZE (FileZilla_3.7.4.1_src.tar.bz2) = 3709078


>Release-Note:
>Audit-Trail:
>Unformatted:

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201402190423.s1J4N2c4044960>