==================================================================== CERT-Renater Note d'Information No. 2020/VULN380 _____________________________________________________________________ DATE : 09/07/2020 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running PuTTY versions prior to 0.74. ===================================================================== https://lists.tartarus.org/pipermail/putty-announce/2020/000030.html _____________________________________________________________________ PuTTY version 0.74 is released ------------------------------ All the pre-built binaries, and the source code, are now available from the PuTTY website at https://www.chiark.greenend.org.uk/~sgtatham/putty/ This is a bug fix release, and also a minor security update, fixing two SSH-related issues. This release fixes the following security issues: - In some situations an SSH server could cause PuTTY to access freed mdmory by pretending to accept an SSH key and then refusing the actual signature. It can only happen if you're using an SSH agent. - New configuration option to disable PuTTY's default policy of changing its host key algorithm preferences to prefer keys it already knows. (There is a theoretical information leak in this policy.) Other bug fixes include: - Windows installer: the text in the installer UI is now visible in Windows high-contrast mode. (Previously it was white on white by mistake.) - Windows 7: fixed spurious OS out-of-memory error when reading passwords from a Windows console (e.g. psftp). - Terminal crash: the dreaded "line==NULL" error could happen if an application switched between the main and alternate screens while the user was looking at the scrollback. - Terminal crash: the terminal could fail an assertion when sending an empty answerback string, and when pasting text none of whose characters exist in the selected character set. - SSH: fixed endless memory-allocating loop that could be triggered by the combination of a misbehaving SSH agent and PuTTY's bug compatibility mode for padded RSA signatures. - File transfer: when uploading files to some SFTP servers (e.g. the one in proftpd's mod_sftp), PSFTP would consume up to 4GB of local memory before sending anything to the server. - Terminal behaviour: sometimes the cursor was put in the wrong place after restoring from the alternate screen. - GTK: fixed font size calculation when using newer Pango libraries (e.g. the one on Ubuntu 20.04). - GTK: scroll wheel events now work in unusual environments like VNC. Enjoy using PuTTY! Cheers, Simon -- import hashlib; print((lambda p,q,g,y,r,s,m: (lambda w:(pow(g,int(hashlib.sha1( m.encode('ascii')).hexdigest(),16)*w%q,p)*pow(y,r*w%q,p)%p)%q)(pow(s,q-2,q))==r and m)(0xb80b5dacabab6145,0xf70027d345023,0x7643bc4018957897,0x11c2e5d9951130c9 ,0xa54d9cbe4e8ab,0x746c50eaa1910, "Simon Tatham " )) ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================