FileZilla Server 0.9.44 and OpenSSL on Windows 2003

[botg]

The problem is with the OpenSSL DLLs, building those for XP is very difficult and time consuming.

[surr34l]

I would love the info to be able to do it. Unfortunately, I haven't done anything with compiling before, but could figure it out with a decent step-by-step or something in the general ballpark.

I looked on the site for instructions on how to compile server, but could only find info on compiling the client, which after downloading and extracting as instructed.. the first command generated errors. So is life.

Either way, I'd love to be able to do it myself, but if not the final binary would be greatly appreciated.

[boco]

So far, using 0.9.43 with the SSL files from 0.9.44 seems to work great.

[fmaxwell]

Of all the times to cease support for Windows 2003, just as the Heartbleed vulnerability is being patched? Seriously?

Windows Server 2003 is a product that Microsoft will continue to support into 2015. I cannot imagine why now, of all times, the FileZilla support under Server 2003 would go away, leaving countless thousands of servers vulnerable.

Please add my voice to those calling for at least one more version of FileZilla Server that supports Windows Server 2003.

[boco]

Just update the two DLLs. Problem solved.

[Franklin]

Just update the two DLLs. Problem solved.

Does updating the DLL's seem right to you Tim?

I tried testing for Heartbleed on a Filezilla server using:
the test site http://filippo.io/Heartbleed
Testing against the TCP Port 990

The report indicated that the test site running V 0.9.43 tested OK without any updates to the DLL's.
Since then I have updated these two DDL's with the V 0.9.44 DDL's and it tested OK also.

What I was looking for was a test that said, it is NOT OK, then update the DLL's and see it pass the test.

[botg]

That's very peculiar. Heartbeat is enabled in the version of OpenSSL shipped with FileZilla Server 0.9.43 and it was built from the vulnerable source code.

[botg]

The online tool seems broken. Using the command-line client it reports 0.9.43 as vulnerable.

Code: Select all

./Heartbleed -service=ftp 10.0.0.66:21
2014/04/14 08:30:38 ([]uint8) {
 00000000  02 00 49 68 65 61 72 74  62 6c 65 65 64 2e 66 69  |..Iheartbleed.fi|
 00000010  6c 69 70 70 6f 2e 69 6f  20 59 45 4c 4c 4f 57 20  |lippo.io YELLOW |
 00000020  53 55 42 4d 41 52 49 4e  45 20 31 30 2e 30 2e 30  |SUBMARINE 10.0.0|
 00000030  2e 36 36 3a 32 31 53 cc  b2 99 2f e5 40 82 ad 0e  |.66:21S.../.@...|
 00000040  a0 e5 0b e3 b7 d2 1b d4  69 83 85 a5 52 b6 65 a7  |........i...R.e.|
 00000050  9d 31 e2 45 43 b5 1b dc  87 68 53 8f              |.1.EC....hS.|
}

2014/04/14 08:30:38 10.0.0.59:21 - VULNERABLE

[tmenke]

did we get an answer on this?

Is using the OpenSSL dlls's from the current version and copying them to the folder of the older version a supported method for Server 2003 or will a new package be generated with 2003 support?

EDIT: n/m Didn't see the other thread on this topic

[mikeloeven]

To be honest i think even though ms pulled the plug on xp its still going to be around for a long time. its just that stable.

i think ending support for XP is a mistake because it is still so widely used especially in business

[KKimber]

Hi Support:

Today I've tried to install Filezilla Server 0.9.44 on this Windows Server 2003 and it says this OS is no longer supported and it will not work on this OS.

Will you please provide us with some workaround as the previous version is seriously crippled by the openSSH vulnerability?

Best Regards,
Javier

Some problem and services cant be deleted by installer. installer say success but service is not running and fail to start.

[honzakuchar]

What is the last unaffected version of FileZilla Server. I'm going to downgrade.

[boco]

To my knowledge only 0.9.43 had 1.01 <g OpenSSL DLLs. Check out 0.9.42's DLLs - if they are of 0.x version it should be unaffected by Heartbleed.

BUT

0.9.43 fixed a different security issue, a nasty bug with Aliases. For this reason, only 0.9.44 or 0.9.43 with replaced DLLs from 0.9.44 should be used.

[GldRush98]

Are you shitting me?
Server 2003 is still supported by Microsoft through July of 2015.
http://support.microsoft.com/lifecycle/ ... er+2003+R2
Dropping support prematurely is a bit questionable, and telling people to upgrade a still-supported commercial OS simply because you changed the build spec is straight up bush-league.
Bad form guys. Bad form indeed.

[panos]

Please make a special version of both the client and the server for Windows Server 2003/XP people. We are not asking you for constant support, but rather for addressing the special circumstances caused by the Heartbleed bug which is entirely irrelevant to how old these systems are.

Thanks.