SECURITY UPDATE: PuTTY version 0.57 is released

• Previous message: jonathan: "Re: How to call a remote program through SSH tunnel and pass a local file as parameter?"
• Next in thread: Fraser Tweedale: "Re: SECURITY UPDATE: PuTTY version 0.57 is released"
• Reply: Fraser Tweedale: "Re: SECURITY UPDATE: PuTTY version 0.57 is released"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: 20 Feb 2005 16:06:15 +0000 (GMT)

SECURITY UPDATE: PuTTY version 0.57 is released
-----------------------------------------------

All the pre-built binaries, and the source code, are now available
from the PuTTY website at

    http://www.chiark.greenend.org.uk/~sgtatham/putty/

This is a SECURITY UPDATE. We recommend that _everybody_ upgrade, as
soon as possible.

This version fixes a security hole in previous versions of PuTTY,
which can allow a malicious SFTP server to attack your client. If
you use either PSCP or PSFTP, you should upgrade. Users of the main
PuTTY program are not affected. (However, note that the server must
have passed host key verification before this attack can be
launched, so a man-in-the-middle shouldn't be able to attack you if
you're careful.)

This vulnerability was found by iDEFENSE, who we expect to release
an advisory on the subject shortly.

In addition to this security patch, there are also a few very minor
bug fixes which should stop PuTTY from crashing in circumstances
involving port forwarding, or failing to correctly perform X
forwarding. Other than that, though, 0.57 is almost identical to the
previous release 0.56.

I repeat: PuTTY 0.57 fixes a SERIOUS SECURITY HOLE in many previous
versions of PSCP and PSFTP. If you use either of those programs, you
should upgrade now.

Enjoy using PuTTY!

-- 
Simon Tatham         "Thieves respect property; they only wish the property to
<anakin@pobox.com>    be their own, that they may more properly respect it."

• Previous message: jonathan: "Re: How to call a remote program through SSH tunnel and pass a local file as parameter?"
• Next in thread: Fraser Tweedale: "Re: SECURITY UPDATE: PuTTY version 0.57 is released"
• Reply: Fraser Tweedale: "Re: SECURITY UPDATE: PuTTY version 0.57 is released"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages [NT] PuTTY and PSCP Multiple Heap Overflow Vulnerabilities ... Get your security news from a reliable source. ... PuTTY is a free implementation of Telnet and SSH for Win32 and Unix ... vulnerabilities and as a result execute arbitrary code at the client side. ... While PSCP is authenticating to the server this vulnerability can be ... (Securiteam) SECURITY UPDATE: PuTTY version 0.55 is released ... PuTTY version 0.55 is released ... This is a bug fix release to 0.54, and also a SECURITY UPDATE. ... which can allow an SSH2 server to attack your client before host key ... (comp.security.ssh) SECURITY UPDATE: PuTTY version 0.56 is released ... PuTTY version 0.56 is released ... This is a SECURITY UPDATE. ... - Minimal support for not running a shell or command at all in SSH ... (comp.security.ssh) Re: SECURITY UPDATE: PuTTY version 0.57 is released ... THE Simon Tatham:) ... PuTTY version 0.57 is released ... > This version fixes a security hole in previous versions of PuTTY, ... (comp.security.ssh) OT: security hole fixed in PuTTY (SSH) ... PuTTY 0.55, released today, fixes a serious security hole which may ... connecting to it. ... meaning that even if you trust the server you think you ... could launch the attack before you could tell the difference. ... (comp.security.firewalls)