Re: PK67193 and z/OS < 1.9

From: gibney@xxxxxxx (Gibney, Dave)
Date: 8 Dec 2008 11:51:33 -0800

That might have been me :), anyway I found the same info. I guess the
question is:
Is IBM's answer to implement AT-TLS via Policy Agent sufficient? Or
should we be more insistent that they fix the FTPD server?
Are there others out there running into this issue.

Is this concern more appropriate for IBMTCP-L or MVS-OE?

Dave Gibney
Information Technology Services
Washington State Univsersity

-----Original Message-----
From: IBM Mainframe Discussion List [mailto:IBM-MAIN@xxxxxxxxxxx] On
Behalf Of Steve Bireley
Sent: Monday, December 08, 2008 8:30 AM
To: IBM-MAIN@xxxxxxxxxxx
Subject: Re: PK67193 and z/OS < 1.9

This is from the Filezilla web site concerning the issue with 3.1.0.1
and various FTP TLS servers.

This was sent to me by another person on the list a few months ago and
describes the issue.

Steve Bireley
BlueZone Software

http://trac.filezilla-project.org/ticket/3626

Also 2008-07-24 - Security Advisory FileZilla 3.1.0.1 fixes a
vulnerability regarding the way some errors are handled on SSL/TLS
secured data transfers. If the data connection of a transfer gets
closed, FileZilla did not check if the server performed an orderly TLS
shutdown.Impact An attacker could send spoofed FIN packets to the
client. Even though GnuTLS detects this with
GNUTLS_E_UNEXPECTED_PACKET_LENGTH,
FileZilla did not record a transfer failure in all cases.
Unfortunately not all servers perform an orderly SSL/TLS shutdown. Since
this cannot be distinguished from an attack, FileZilla will not be able
to download listings or files from such servers.Affected versions All
versions prior to 3.1.0.1 are affected. This vulnerability has been
fixed in 3.1.0.1

----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to listserv@xxxxxxxxxxx with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to listserv@xxxxxxxxxxx with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html
.

Follow-Ups:
- Re: PK67193 and z/OS < 1.9
  - From: Hal Merritt

References:
- Re: PK67193 and z/OS < 1.9
  - From: Steve Bireley

Prev by Date: Re: First z10 BC on West Coast
Next by Date: Re: Drop hardware maintenance contract
Previous by thread: Re: PK67193 and z/OS < 1.9
Next by thread: Re: PK67193 and z/OS < 1.9
Index(es):
- Date
- Thread

Relevant Pages

Re: Filezilla, was Ipswitch WS_FTP Pro 12 not displaying OMVS directories correctly
... Filezilla, was Ipswitch WS_FTP Pro 12 not displaying OMVS ... FileZilla is a pretty terrible FTP client. ... send email to listserv@xxxxxxxxxxx with the message: GET IBM-MAIN INFO ... Search the archives at http://bama.ua.edu/archives/ibm-main.html ...
(bit.listserv.ibm-main)
Problem mit FileZilla Server
... Ich hatte irgendwann mal den FileZilla Server installiert, ... "Install as service, started with Windows " ... was ist an der dritten Alternative eigentlich "böse"? ...
(de.sci.electronics)
Re: [Full-disclosure] Security issue in Filezilla 3.0.9.2:passwords are stored in plain text (si
... That issue is inherent in the FTP protocol, not FileZilla. ... set up FTP server to use either SFTP or FTPS. ... Subject: [Full-disclosure] Security issue in Filezilla 3.0.9.2:passwords ...
(Full-Disclosure)
Re: [opensuse] ftp
... I have created a ftp account on my server that I use with filezilla ... Here is the difference in how filezilla behaves when I try and connect to my server: ... It seems my server doesn't like the command SYST. ...
(SuSE)
Re: controlling access to files over network
... Philip Ashley wrote: ... So if I set up Filezilla client on laptop, and Filezilla server on desktop, ...
(microsoft.public.windowsxp.network_web)