Software-update: FileZilla Server 0.9.6

Filezilla Server is een open source FTP-serversoftware en biedt ondersteuning voor onder andere FXP, Secure-FTP, GSS-authenticatie en Kerberos-encryptie. Sinds kort staat er bij Sourceforge een nieuwe versie klaar die 0.9.6 als het versienummer heeft meegekregen. Hierin worden twee mogelijke beveiligingspunten gedicht die mogelijk tot een DoS van een FileZilla Server zouden kunnen leiden. De release notes zien er als volgt uit:

FileZilla Server 0.9.6 fixes two problems which could be used as denial of service attacks against FileZilla Server. The first problem involves reserved MSDOS device names like CON, NUL, COM1, LPT1 and such. Under some Windows versions, FileZilla Server could freeze if the user issued a command to access a file containing a reserved name. The problem seems to only occur on Windows 2000 or older.

The second problem was caused by an infinite loop in the transfer logic. It could only happen if a file or directory listing was downloaded with enabled MODE Z. Certain files did trigger this problem with a high probability allowing a denial of service attack.

New features:

• SSL/TLS encryption. This feature is still experimental, use at your own risk.

Fixed bugs:

• Infinite loop on file uploads or directory listings if using zlib compression
• Sending commands with filenames as arguments which did contain reserved MSDOS device names (such as NUL, CON, COM1, LPT1) could freeze FileZilla Server on older systems. Those filenames are now considered invalid
• Fixed crash if taking server offline
• Connection limits for users did not work as intended
• The /reload-config command line switch has been fixed