search

ashkulz / NppFTP

Plugin for Notepad++ allowing FTP, FTPS, FTPES and SFTP communications
https://ashkulz.github.io/NppFTP/
320 stars 93 forks source link

security issue NppFTP >= 0.30.0, uses libssh < 0.9.3, need libssh security update for CVE-2019-14889 #281

Closed woa7 closed 4 years ago

woa7 commented 4 years ago

NppFTP 0.30.2 using libssh 0.9.1, (without the need security update for CVE-2019-14889 / unwanted command execution)

Description of the Issue

via the plugin manager it will install NppFTP 0.30.2 NppFTP 0.30.2 is still on libssh 0.9.1

(without the need security update for CVE-2019-14889 / unwanted command execution)

and not like the NppFTP 0.29.4 on libssh 0.9.3

Steps to Reproduce the Issue

install NppFTP via plugin manager in Notepad++

Expected Behavior

get a NppFTP version with the security update

Actual Behavior

you get 0.30.2 (still marked als pre-relese in Github) and not the stable 0.29.4, with the libssh 0.9.3

woa7 commented 4 years ago

see PR #280

woa7 commented 4 years ago

the downgrade via https://github.com/notepad-plus-plus/nppPluginList/commit/8d3a06602b3a0deba784d5e832b22206b727b1f9

worked not for me, as i got today the the version 0.30.2 via the plugin manager.

only after a full deinstall the plugins and new install, i got the NppFTP 0.29.4