Which versions of the Windows TLS/SSL file transfer software like WinSCP and FileZilla are not affected by Heartbleed?

Solution 1:

WinSCP used the affected OpenSSL 1.0.1 since versions 4.3.8 and 5.0.7 beta in respective branches.

WinSCP 5.5.3 upgraded to the OpenSSL 1.0.1g to address the vulnerability. Branch 4.x is not supported anymore and is not planned to be upgraded.

Note that OpenSSL is used by WinSCP with FTP over TLS/SSL only. Majority (about 98%) of WinSCP users use SSH (SFTP/SCP) and plain FTP only and are NOT affected!

The vulnerability is tracked here:
https://winscp.net/tracker/1151

FileZilla replaced OpenSSL 0.9.8d with GnuTLS since version 3.0, so there is no vulnerable version of FileZilla.


Fortunately an exploit of the vulnerability in clients is less probable than in servers. As a client you are in charge of where you connect to. I.e. do not connect to servers, you do not trust.