[OT] Security hole in PuTTY (Windows ssh client)
Joshua Tinnin
krinklyfig at spymac.com
Mon Aug 16 16:43:09 PDT 2004
On Monday 16 August 2004 03:52 pm, stheg olloydson
<stheg_olloydson at yahoo.com> wrote:
> Hello,
>
> Sorry for the completely OT post, but I saw two mentions of PuTTY in
> one day on the list and assume it must be a popular piece of Windows
> software.
It is written for *nix and win32, and it has an MIT license.
> The SANS Institute "@Risk" newsletter dated 8AUG04 contains
> the following item regarding PuTTY:
>
> 04.31.4 CVE: Not Available
> Platform: Third Party Windows Apps
> Title: PuTTY Remote Buffer Overflow
> Description: PuTTY is a free Telnet and SSH client. It has been
> reported that PuTTY is subject to a pre-authentication buffer
> overflow that can allow malicious servers to execute code on a client
> machine as it attempts to negotiate connection. PuTTY 0.54 and
> previous versions are vulnerable.
> Ref:
> http://www.coresecurity.com/common/showdoc.php?idx=417&idxseccion=10
You forgot to include this (from the link above):
*Solution/Vendor Information/Workaround:*
PuTTY 0.55 fixes these vulnerabilities. It is available at:
http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html
PuTTY maintainers recommend that everybody upgrade to 0.55 as soon as
possible.
--
The latest PuTTY version in ports is 0.55.
- jt
More information about the freebsd-questions
mailing list