Post a reply

Before posting, please read how to report bug or request support effectively.

Bug reports without an attached log file are usually useless.

Tip: Styles can be applied quickly to selected text.

Options
Add an Attachment

If you do not want to add an Attachment to your Post, please leave the Fields blank.

(maximum 10 MB; please compress large files; only common media, archive, text and programming file formats are allowed)

Options

Topic review

martin

Re: What about the .NET interop?

schaitel wrote:

We use the .NET interop DLL in SSIS packages for FTP and SFTP, is installing version 5.5.3 enough or do we need to also register and upgrade to the latest Interop DLL?

What do you mean by ".NET interop DLL"? Do you mean WinSCP .NET assembly? You always need to upgrade that along with WinSCP. You cannot use different versions of WinSCP and WinSCP .NET assembly together.
martin

Re: WINSCP.EXE to FTPS site

CoreyB wrote:

If I am using WINSCP.EXE command line to connect to an FTPS site, do I need to upgrade to new version due to HeartBleed?

Yes, you should upgrade. Actually you should always upgrade, when there's a new version available.
schaitel

What about the .NET interop?

We use the .NET interop DLL in SSIS packages for FTP and SFTP, is installing version 5.5.3 enough or do we need to also register and upgrade to the latest Interop DLL?
CoreyB

WINSCP.EXE to FTPS site

If I am using WINSCP.EXE command line to connect to an FTPS site, do I need to upgrade to new version due to HeartBleed?
Craig

Re: WinSCP Version Number

martin wrote:

C:\test>WinSCP.com /?

WinSCP, Version 5.5.2 (Build 4130)
Copyright (c) 2000-2014 Martin Prikryl
...


Thank you. I was boneheadedly trying winscp.exe and overlooking winscp.com.

Thanks for the quick reply.

Craig
martin

Re: WinSCP Version Number

Craig wrote:

Is there a way to output the version number at the command line from winscp.exe?


C:\test>WinSCP.com /?

WinSCP, Version 5.5.2 (Build 4130)
Copyright (c) 2000-2014 Martin Prikryl
...
Craig

WinSCP Version Number

While I am aware of the registry key containing the version number of WinSCP:

reg query "HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\winscp3_is1" /v "DisplayVersion"


Is there a way to output the version number at the command line from winscp.exe?

I am looking for the most efficient and effective way of finding vulnerable versions en masse on large numbers of systems.

Craig
Iruwen

Whoah, I never even noticed that WinSCP supports encrypted FTP until right now :D
martin

Iruwen wrote:

Yes it does, but not SSH (and thus SCP/SFTP) clients because SSH obviously doesn't use TLS heartbeats, so WinSCP and other SSH clients shouldn't be affected at all?

That's true. But WinSCP is also TLS/SSL client, when used with FTP over TLS/SSL. Majority (about 98%) of WinSCP users use SSH (SFTP/SCP) and plain FTP only and are NOT affected!
martin

Re: WinSCP 5.5.3?

Midnitelouie wrote:

Showing on the bug report that you've got it fixed in 5.5.3, but no location as to being able to download the package?

It's not released yet. We plan to release 5.5.3 in few days.
Iruwen

We are working on a fix.

It actually affects even clients:
https://security.stackexchange.com/q/55119/43677


Yes it does, but not SSH (and thus SCP/SFTP) clients because SSH obviously doesn't use TLS heartbeats, so WinSCP and other SSH clients shouldn't be affected at all?
Midnitelouie

WinSCP 5.5.3?

Showing on the bug report that you've got it fixed in 5.5.3, but no location as to being able to download the package?
martin

Re: Heartbleed bug in OpenSSL

This bug is tracked here:
https://winscp.net/tracker/1151

We are working on a fix.

It actually affects even clients:
https://security.stackexchange.com/q/55119/43677

Though obviously it is a way more difficult to abuse this on a client side (than on a server side).

Note that OpenSSL is used with FTP over TLS/SSL only. Majority (about 98%) of WinSCP users use SSH (SFTP/SCP) and plain FTP only and are NOT affected!
CWincentsen

Heartbleed bug in OpenSSL

I just learned of what is considered to be a serious bug in several versions of OpenSSL. I'm concerned that this might/probably affects some recent installations of WinSCP and wanted to alert development to the issue, in case you weren't aware of it already.

This link connects to detailed information about the bug and which versions of OpenSSL are affected... http://heartbleed.com/