RE: [Full-Disclosure] iDEFENSE Security Advisory 01.28.03: SSH2 Clients Insecurely Store Passwords

From: David Endler (dendler@idefense.com)
Date: 01/30/03

  • Next message: Jason Coombs: "RE: [Full-Disclosure] SQL Server patch - why doesn't Windows update help?" 
    From: David Endler <dendler@idefense.com>
To: <full-disclosure@lists.netsys.com>
Date: Thu, 30 Jan 2003 11:00:24 -0500 (EST)

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    Indeed, it is vulnerable in the same way as PuTTy. I've contacted the
    author, Martin Prikryl, who can hopefully turn around an update quickly.

    - -dave

    > -----Original Message-----
    > From: Michael Renzmann [mailto:security@dylanic.de]
    > Sent: Wednesday, January 29, 2003 1:25 PM
    > To: full-disclosure@lists.netsys.com
    > Subject: Re: [Full-Disclosure] iDEFENSE Security Advisory
    > 01.28.03: SSH2
    > Clients Insecurely Store Passwords
    >
    >
    > Hi.
    >
    > iDEFENSE Labs wrote:
    > [...]
    > > PuTTY is a free implementation of Telnet and SSH for Win32
    > platforms,
    > > along with an xterm terminal emulator. More information is
    > available at
    > > http://www.chiark.greenend.org.uk/~sgtatham/putty/.
    > [...]
    >
    > AFAIK WinSCP2 is a program that relies on the codebase of PuTTY. Has
    > anyone information if WinSCP2 is also "vulnerable" to this?

    -----BEGIN PGP SIGNATURE-----
    Version: PGP 8.0
    Comment: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xE4A96E4F

    iQA/AwUBPjlK8ErdNYRLCswqEQJZtQCgiZBZGExJRcHRTa766nuIREIKukEAoPZ0
    7PSqPP5P+rnTl4Lh2/tcbuGO
    =UAQe
    -----END PGP SIGNATURE-----

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html