Which versions of the Windows TLS/SSL file transfer software like WinSCP and FileZilla are not affected by Heartbleed?

ssl heartbleed tls winscp filezilla

Solution 1:

WinSCP used the affected OpenSSL 1.0.1 since versions 4.3.8 and 5.0.7 beta in respective branches.

WinSCP 5.5.3 upgraded to the OpenSSL 1.0.1g to address the vulnerability. Branch 4.x is not supported anymore and is not planned to be upgraded.

Note that OpenSSL is used by WinSCP with FTP over TLS/SSL only. Majority (about 98%) of WinSCP users use SSH (SFTP/SCP) and plain FTP only and are NOT affected!

The vulnerability is tracked here:
https://winscp.net/tracker/1151

FileZilla replaced OpenSSL 0.9.8d with GnuTLS since version 3.0, so there is no vulnerable version of FileZilla.

Fortunately an exploit of the vulnerability in clients is less probable than in servers. As a client you are in charge of where you connect to. I.e. do not connect to servers, you do not trust.

Related

Windows 10 Pro N fails applying the April 2018 update
How can I enable cursor scrolling via mousewheel in emacs with urxvt?
Program to join TS videos using command line
Iptables port mapping from two PCs to one
Sharing iTunes library (Mac/PC)
windows Fall creators update 1709 boot up freeze
Cannot remove language pack on Windows 10 PC
ad blocking host file, shared to all computers on local network
Applying template to Word 2013 document
Windows Update: “Some settings are Managed by your system administrator” [duplicate]
Win10 1803: How to make mobile hotspot a private network?
External ThunderBolt 3 SSD drive not recognized on Ubuntu 17.10 running on Macbook Pro A1706