Re: [OT] Security hole in PuTTY (Windows ssh client)

From: Joshua Tinnin (krinklyfig_at_spymac.com)
Date: 08/17/04

  • Next message: Cubicool: "802.1x"
    To: freebsd-questions@freebsd.org
    Date: Mon, 16 Aug 2004 16:43:31 -0700
    
    

    On Monday 16 August 2004 03:52 pm, stheg olloydson
    <stheg_olloydson@yahoo.com> wrote:
    > Hello,
    >
    > Sorry for the completely OT post, but I saw two mentions of PuTTY in
    > one day on the list and assume it must be a popular piece of Windows
    > software.

    It is written for *nix and win32, and it has an MIT license.

    > The SANS Institute "@Risk" newsletter dated 8AUG04 contains
    > the following item regarding PuTTY:
    >
    > 04.31.4 CVE: Not Available
    > Platform: Third Party Windows Apps
    > Title: PuTTY Remote Buffer Overflow
    > Description: PuTTY is a free Telnet and SSH client. It has been
    > reported that PuTTY is subject to a pre-authentication buffer
    > overflow that can allow malicious servers to execute code on a client
    > machine as it attempts to negotiate connection. PuTTY 0.54 and
    > previous versions are vulnerable.
    > Ref:
    > http://www.coresecurity.com/common/showdoc.php?idx=417&idxseccion=10

    You forgot to include this (from the link above):

    *Solution/Vendor Information/Workaround:*

    PuTTY 0.55 fixes these vulnerabilities. It is available at:
    http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html

    PuTTY maintainers recommend that everybody upgrade to 0.55 as soon as
    possible.

    --
    The latest PuTTY version in ports is 0.55.
    - jt
    _______________________________________________
    freebsd-questions@freebsd.org mailing list
    http://lists.freebsd.org/mailman/listinfo/freebsd-questions
    To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org"
    

  • Next message: Cubicool: "802.1x"

    Relevant Pages

    • Re: [IPS] PUTTY SSH-Client Exploit
      ... > have used the concept to code this exploit/proof of concept. ... > It's a fake server to exploit the putty client. ... I should point out that the vulnerabilities uncovered by Rapid 7 were ... fixed in PuTTY 0.53b, ...
      (Bugtraq)
    • Re: New security alert
      ... > New SSH vulnerabilities are reported in: ... The "PuTTY 0.53b addresses vulnerabilities discovered by SSHredder" in the ... actual CERT advisory. ...
      (comp.security.ssh)
    • Re: SSH & 5.3 Problems
      ... >newer PuTTY fixed the problem, and it seams to work from FreeBSD 4.10. ... commercial SSH client for our Windows ... username, you pick from a drop-down list Authentication Method: ...
      (freebsd-questions)
    • Re: [opensuse] GNU Screen display issues
      ... The first problem is Yast. ... Try a different ssh client or re-configure putty. ...
      (SuSE)
    • Re: [opensuse] GNU Screen display issues
      ... Try a different ssh client or re-configure putty. ... of screen (the exact opposite before changed encoding). ... For additional commands, e-mail: opensuse+help@xxxxxxxxxxxx ...
      (SuSE)