OpenSSL and Filezilla Server

[Holdstrong]

It is my understanding, but please correct me if I am wrong, that Filezilla Server utilizes OpenSSL.

If so, do we have to be concerned about the recent and much publicized security bug found in OpenSSL?

[botg]

There's no need to be concerned thanks to the advent of FileZilla Server 0.9.44 which contains an updated OpenSSL. You can download the new version from https://filezilla-project.org/download.php?type=server

[mlazzarotto]

Hi, what about Filezilla Server 0.9.34 beta? What's the Openssl version?

[Holdstrong]

.9.44 was just released.

Does this mean that all previous versions are, and have been, vulnerable?

[danielmccann]

I just tried to install 0.9.44 on my Windows Server 2003 to mitigate this issue, but the installer is complaining about the OS version. The error message says it thinks it's XP. XP!

[Holdstrong]

Does that mean that .9.44 cant be installed on XP?

[botg]

XP is an outdated and operating system no longer supported by its vendor. You shouldn't use outdated systems in a networked environment.

The last version of FileZilla Server that did still support XP has been 0.9.42.

All versions of FileZilla Server earlier than 0.9.44 suffer from OpenSSL vulnerabilities.

[cdnjay]

We're using fzldap, I'm guessing OpenSSL 1.0.1 and thus the Heartbleed vulnerability was present in Filezilla Server 0.9.41?

http://sourceforge.net/projects/fzldap/files/

Jason

[rebus9]

The post from danielmccann said he was getting the XP error when installing on Sever 2003, which is not EOL until July 2015.

EDIT/UPDATE: I tried to update FS 0.9.41 beta, to 0.9.44 on a Server 2003 machine, and the installation failed with the error that Window Vista or higher is required.

I agree with blocking installs on XP which is EOL, but Server 2003 is still supported by Microsoft for another 15 months. Any chance of getting an installer that will allow Server 2003?

[botg]

With the previous version it took many hours of work to compile binaries for XP(-like) systems, supporting old systems is very tedious. That said, feel free to compile FileZilla Server from source for your particular platform, everything is still there.

[victoriamon]

With the previous version it took many hours of work to compile binaries for XP(-like) systems, supporting old systems is very tedious. That said, feel free to compile FileZilla Server from source for your particular platform, everything is still there.

Windows XP gone then why we need even to keep caring about it?

[Respectable]

When I upgrade .9.40 beta to .9.44 to counter the OpenSSL problem, will I be doing a full install of another instance, or will it pickup and copy over the settings from .9.40?

Thanks.

[botg]

You can safely install the new version over the old one, your settings will be copied over. One exception: Aliases using physical path syntax are lost. You need to recreate them using virtual path syntax.

[surr34l]

Install it to the same folder and it keeps all your settings.

The only thing you have to do when you upgrade is, if you set your service to use a local user account login to be able to access networked files on other computers, you have to redo the user/password for the FileZilla FTP Server service in computer management.

[rebus9]

Windows XP gone then why we need even to keep caring about it?

botg was replying to my post about Server 2003, not XP. XP needs to go away for sure. But, there are a LOT of Server 2003 deployments still in production worldwide, which is why there is concern about FS on 2003.

Microsoft continues to support Server 2003 until July 2015, but it has XP-like characteristics so the FS installer does not work on 2003.