[VulnWatch] Security issue with PuTTY v.54

vulnwatch_at_exocet.ca
Date: 08/04/04

  • Next message: Paul Starzetz: "[VulnWatch] Linux kernel file offset pointer races"
    Date: Wed, 4 Aug 2004 09:03:33 -0700 (PDT)
    To: vulnwatch@vulnwatch.org
    
    

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    Haven't seen this on the Vulnwatch list yet, so:

    PuTTY v.54 apparently has a rather serious security issue. Lifted
    straight from the author's web site:

    "2004-08-03 SECURITY HOLE, fixed in PuTTY 0.55

    "PuTTY 0.55, released today, fixes a serious security hole which may
    allow a server to execute code of its choice on a PuTTY client
    connecting to it. In SSH2, the attack can be performed before host key
    verification, meaning that even if you trust the server you think you
    are connecting to, a different machine could be impersonating it and
    could launch the attack before you could tell the difference. We
    recommend everybody upgrade to 0.55 as soon as possible."

    PuTTY can be downloaded from the author's site at:
    http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html

    - --
    Sent via Mozilla v1.7
    Deepthought: Debian GNU/Linux (Services: SSH, DNS, IMAP, Web!)
    The PGP signature verifies that I, not an imposter, sent this email.
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.2.4 (MingW32)
    Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

    iD8DBQFBEQhmGuSF7OL+BegRAjd3AKDaDBU9oMYycCuYkDj4ornJIYwJkgCg/Dqh
    Y253hMoVNWPwZPvA4oqtd8U=
    =jDWy
    -----END PGP SIGNATURE-----


  • Next message: Paul Starzetz: "[VulnWatch] Linux kernel file offset pointer races"

    Relevant Pages

    • Re: a question about PuTTY
      ... Owen Dunn wrote: ... >>I was redirected here by PuTTY's web site, ... >>list of control sequences recognised by PuTTY? ... > I'm afraid we don't provide such a list. ...
      (comp.security.ssh)
    • Re: Slow PSCP Transfer Rate
      ... >> PuTTY 0.53b has been out for over a year now, ... I'll keep a close eye on the Web site. ... What new features can we look forward to? ...
      (comp.security.ssh)
    • a question about PuTTY
      ... I was redirected here by PuTTY's web site, ... control sequences recognised by PuTTY? ... Roberto ...
      (comp.security.ssh)
    • [NT] PuTTY and PSCP Multiple Heap Overflow Vulnerabilities
      ... Get your security news from a reliable source. ... PuTTY is a free implementation of Telnet and SSH for Win32 and Unix ... vulnerabilities and as a result execute arbitrary code at the client side. ... While PSCP is authenticating to the server this vulnerability can be ...
      (Securiteam)
    • SECURITY UPDATE: PuTTY version 0.55 is released
      ... PuTTY version 0.55 is released ... This is a bug fix release to 0.54, and also a SECURITY UPDATE. ... which can allow an SSH2 server to attack your client before host key ...
      (comp.security.ssh)