Topic "Heartbleed bug in OpenSSL"

Author Message
CWincentsen

Guest


I just learned of what is considered to be a serious bug in several versions of OpenSSL. I'm concerned that this might/probably affects some recent installations of WinSCP and wanted to alert development to the issue, in case you weren't aware of it already.

This link connects to detailed information about the bug and which versions of OpenSSL are affected... http://heartbleed.com/
Advertisements
Freitag
[View user's profile]

Joined: 2007-10-25
Posts: 51
This heartbleed bug is a server side problem and should not be an issue for client software like WinSCP.





EDIT: a related post https://winscp.net/forum/viewtopic.php?t=13730
martin
[View user's profile]
Site Admin
Joined: 2002-12-10
Posts: 24993
Location: Prague, Czechia
This bug is tracked here:
https://winscp.net/tracker/show_bug.cgi?id=1151

We are working on a fix.

It actually affects even clients:
http://security.stackexchange.com/questions/55119/does-the-heartbleed-vulnerability-affect-clients-as-severely

Though obviously it is a way more difficult to abuse this on a client side (than on a server side).

Note that OpenSSL is used with FTP over TLS/SSL only. Majority (about 98%) of WinSCP users use SSH (SFTP/SCP) and plain FTP only and are NOT affected!
Midnitelouie

Guest


Showing on the bug report that you've got it fixed in 5.5.3, but no location as to being able to download the package?
Iruwen

Guest




Yes it does, but not SSH (and thus SCP/SFTP) clients because SSH obviously doesn't use TLS heartbeats, so WinSCP and other SSH clients shouldn't be affected at all?
martin
[View user's profile]
Site Admin
Joined: 2002-12-10
Posts: 24993
Location: Prague, Czechia
Midnitelouie wrote:
Showing on the bug report that you've got it fixed in 5.5.3, but no location as to being able to download the package?

It's not released yet. We plan to release 5.5.3 in few days.
martin
[View user's profile]
Site Admin
Joined: 2002-12-10
Posts: 24993
Location: Prague, Czechia
Iruwen wrote:
Yes it does, but not SSH (and thus SCP/SFTP) clients because SSH obviously doesn't use TLS heartbeats, so WinSCP and other SSH clients shouldn't be affected at all?

That's true. But WinSCP is also TLS/SSL client, when used with FTP over TLS/SSL. Majority (about 98%) of WinSCP users use SSH (SFTP/SCP) and plain FTP only and are NOT affected!
Iruwen

Guest


Whoah, I never even noticed that WinSCP supports encrypted FTP until right now Very Happy
Craig

Guest


While I am aware of the registry key containing the version number of WinSCP:

Code:
reg query "HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\winscp3_is1" /v "DisplayVersion"


Is there a way to output the version number at the command line from winscp.exe?

I am looking for the most efficient and effective way of finding vulnerable versions en masse on large numbers of systems.

Craig
martin
[View user's profile]
Site Admin
Joined: 2002-12-10
Posts: 24993
Location: Prague, Czechia
Craig wrote:
Is there a way to output the version number at the command line from winscp.exe?


Code:
C:\test>WinSCP.com /?
WinSCP, Version 5.5.2 (Build 4130)
Copyright (c) 2000-2014 Martin Prikryl
...
Craig

Guest


prikryl wrote:
Code:
C:\test>WinSCP.com /?
WinSCP, Version 5.5.2 (Build 4130)
Copyright (c) 2000-2014 Martin Prikryl
...


Thank you. I was boneheadedly trying winscp.exe and overlooking winscp.com.

Thanks for the quick reply.

Craig
CoreyB

Guest


If I am using WINSCP.EXE command line to connect to an FTPS site, do I need to upgrade to new version due to HeartBleed?
schaitel

Guest


We use the .NET interop DLL in SSIS packages for FTP and SFTP, is installing version 5.5.3 enough or do we need to also register and upgrade to the latest Interop DLL?
martin
[View user's profile]
Site Admin
Joined: 2002-12-10
Posts: 24993
Location: Prague, Czechia
CoreyB wrote:
If I am using WINSCP.EXE command line to connect to an FTPS site, do I need to upgrade to new version due to HeartBleed?

Yes, you should upgrade. Actually you should always upgrade, when there's a new version available.
_________________
Martin Prikryl
martin
[View user's profile]
Site Admin
Joined: 2002-12-10
Posts: 24993
Location: Prague, Czechia
schaitel wrote:
We use the .NET interop DLL in SSIS packages for FTP and SFTP, is installing version 5.5.3 enough or do we need to also register and upgrade to the latest Interop DLL?

What do you mean by ".NET interop DLL"? Do you mean WinSCP .NET assembly? You always need to upgrade that along with WinSCP. You cannot use different versions of WinSCP and WinSCP .NET assembly together.
_________________
Martin Prikryl
Advertisements

You can post new topics in this forum






Search Site

What is WinSCP?

It is award-winning SFTP client, SCP client, FTPS client and FTP client integrated into one software program for file transfer to FTP server or secure SFTP server. [More]

And it's free!

Donate

About donations

$9   $19   $49   $99

About donations

Recommend

WinSCP Privacy Policy

WinSCP License