svn commit: r496062 - head/security/vuxml
Matthias Andree
mandree at FreeBSD.org
Sun Mar 17 14:16:04 UTC 2019
Author: mandree
Date: Sun Mar 17 14:16:03 2019
New Revision: 496062
URL: https://svnweb.freebsd.org/changeset/ports/496062
Log:
Record PuTTY security vulnerabilities in versions before 0.71.
Modified:
head/security/vuxml/vuln.xml
Modified: head/security/vuxml/vuln.xml
==============================================================================
--- head/security/vuxml/vuln.xml Sun Mar 17 14:14:27 2019 (r496061)
+++ head/security/vuxml/vuln.xml Sun Mar 17 14:16:03 2019 (r496062)
@@ -58,6 +58,48 @@ Notes:
* Do not forget port variants (linux-f10-libxml2, libxml2, etc.)
-->
<vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">
+ <vuln vid="46e1ece5-48bd-11e9-9c40-080027ac955c">
+ <topic>PuTTY -- security fixes in new release</topic>
+ <affects>
+ <package>
+ <name>putty</name>
+ <range><lt>0.71</lt></range>
+ </package>
+ <package>
+ <name>putty-gtk2</name>
+ <range><lt>0.71</lt></range>
+ </package>
+ <package>
+ <name>putty-nogtk</name>
+ <range><lt>0.71</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>The PuTTY team reports:</p>
+ <blockquote cite="https://www.chiark.greenend.org.uk/~sgtatham/putty/changes.html">
+ <p>New in 0.71:</p>
+ <ul>
+ <li>Security fixes found by an EU-funded bug bounty programme:</li>
+ <li>+ a remotely triggerable memory overwrite in RSA key exchange, which can occur before host key verification</li>
+ <li>+ potential recycling of random numbers used in cryptography</li>
+ <li>+ on Unix, remotely triggerable buffer overflow in any kind of server-to-client forwarding</li>
+ <li>+ multiple denial-of-service attacks that can be triggered by writing to the terminal</li>
+ <li>Other security enhancements: major rewrite of the crypto code to remove cache and timing side channels.</li>
+ <li>User interface changes to protect against fake authentication prompts from a malicious server.</li>
+ </ul>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <url>https://www.chiark.greenend.org.uk/~sgtatham/putty/changes.html</url>
+ </references>
+ <dates>
+ <discovery>2019-03-16</discovery>
+ <entry>2019-03-17</entry>
+ </dates>
+ </vuln>
+
<vuln vid="72a6e3be-483a-11e9-92d7-f1590402501e">
<topic>Jupyter notebook -- cross-site inclusion (XSSI) vulnerability</topic>
<affects>
@@ -88,6 +130,15 @@ Notes:
</description>
<references>
<url>https://github.com/jupyter/notebook/blob/master/docs/source/changelog.rst</url>
+ <url>https://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/vuln-auth-prompt-spoofing.html</url>
+ <url>https://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/vuln-fd-set-overflow.html</url>
+ <url>https://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/vuln-rng-reuse.html</url>
+ <url>https://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/vuln-rsa-kex-integer-overflow.html</url>
+ <url>https://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/vuln-terminal-dos-combining-chars.html</url>
+ <url>https://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/vuln-terminal-dos-combining-chars-double-width-gtk.html</url>
+ <url>https://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/vuln-terminal-dos-one-column-cjk.html</url>
+ <url>https://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/pscp-unsanitised-server-output.html</url>
+ <url>https://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/side-channels.html</url>
</references>
<dates>
<discovery>2019-03-10</discovery>
More information about the svn-ports-all
mailing list