Heartbleed bug in OpenSSL

Advertisement

CWincentsen
Guest

Heartbleed bug in OpenSSL

I just learned of what is considered to be a serious bug in several versions of OpenSSL. I'm concerned that this might/probably affects some recent installations of WinSCP and wanted to alert development to the issue, in case you weren't aware of it already.

This link connects to detailed information about the bug and which versions of OpenSSL are affected... http://heartbleed.com/

Reply with quote

Advertisement

martin
Site Admin
martin avatar
Joined:
Posts:
27,226
Location:
Prague, Czechia

Re: Heartbleed bug in OpenSSL

This bug is tracked here:
https://winscp.net/tracker/show_bug.cgi?id=1151

We are working on a fix.

It actually affects even clients:
https://security.stackexchange.com/q/55119/43677

Though obviously it is a way more difficult to abuse this on a client side (than on a server side).

Note that OpenSSL is used with FTP over TLS/SSL only. Majority (about 98%) of WinSCP users use SSH (SFTP/SCP) and plain FTP only and are NOT affected!

Reply with quote

Midnitelouie
Guest

WinSCP 5.5.3?

Showing on the bug report that you've got it fixed in 5.5.3, but no location as to being able to download the package?

Reply with quote

martin
Site Admin
martin avatar
Joined:
Posts:
27,226
Location:
Prague, Czechia

Re: WinSCP 5.5.3?

Midnitelouie wrote:

Showing on the bug report that you've got it fixed in 5.5.3, but no location as to being able to download the package?
It's not released yet. We plan to release 5.5.3 in few days.

Reply with quote

martin
Site Admin
martin avatar
Joined:
Posts:
27,226
Location:
Prague, Czechia

Iruwen wrote:

Yes it does, but not SSH (and thus SCP/SFTP) clients because SSH obviously doesn't use TLS heartbeats, so WinSCP and other SSH clients shouldn't be affected at all?
That's true. But WinSCP is also TLS/SSL client, when used with FTP over TLS/SSL. Majority (about 98%) of WinSCP users use SSH (SFTP/SCP) and plain FTP only and are NOT affected!

Reply with quote

Craig
Guest

WinSCP Version Number

While I am aware of the registry key containing the version number of WinSCP:

reg query "HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\winscp3_is1" /v "DisplayVersion"    

Is there a way to output the version number at the command line from winscp.exe?

I am looking for the most efficient and effective way of finding vulnerable versions en masse on large numbers of systems.

Craig

Reply with quote

martin
Site Admin
martin avatar
Joined:
Posts:
27,226
Location:
Prague, Czechia

Re: WinSCP Version Number

Craig wrote:

Is there a way to output the version number at the command line from winscp.exe?

C:\test>WinSCP.com /?
WinSCP, Version 5.5.2 (Build 4130)
Copyright (c) 2000-2014 Martin Prikryl
...    

Reply with quote

Craig
Guest

Re: WinSCP Version Number

martin wrote:

C:\test>WinSCP.com /?
WinSCP, Version 5.5.2 (Build 4130)
Copyright (c) 2000-2014 Martin Prikryl
...    

Thank you. I was boneheadedly trying winscp.exe and overlooking winscp.com.

Thanks for the quick reply.

Craig

Reply with quote

CoreyB
Guest

WINSCP.EXE to FTPS site

If I am using WINSCP.EXE command line to connect to an FTPS site, do I need to upgrade to new version due to HeartBleed?

Reply with quote

schaitel
Guest

What about the .NET interop?

We use the .NET interop DLL in SSIS packages for FTP and SFTP, is installing version 5.5.3 enough or do we need to also register and upgrade to the latest Interop DLL?

Reply with quote

martin
Site Admin
martin avatar
Joined:
Posts:
27,226
Location:
Prague, Czechia

Re: WINSCP.EXE to FTPS site

CoreyB wrote:

If I am using WINSCP.EXE command line to connect to an FTPS site, do I need to upgrade to new version due to HeartBleed?
Yes, you should upgrade. Actually you should always upgrade, when there's a new version available.
_________________
Martin Prikryl

Reply with quote

martin
Site Admin
martin avatar
Joined:
Posts:
27,226
Location:
Prague, Czechia

Re: What about the .NET interop?

schaitel wrote:

We use the .NET interop DLL in SSIS packages for FTP and SFTP, is installing version 5.5.3 enough or do we need to also register and upgrade to the latest Interop DLL?
What do you mean by ".NET interop DLL"? Do you mean WinSCP .NET assembly? You always need to upgrade that along with WinSCP. You cannot use different versions of WinSCP and WinSCP .NET assembly together.
_________________
Martin Prikryl

Reply with quote

Advertisement

You can post new topics in this forum