Forum » Support and Bug Reports »

Post a reply

Before posting, please read how to report bug or request support effectively.

Bug reports without an attached log file are usually useless.

Username

Subject

Message body

Font colour:

Font size:

Options

Disable BBCode in this post

Notify me when a reply is posted (registered users only)

Add an Attachment

If you do not want to add an Attachment to your Post, please leave the Fields blank.

Filename

(maximum 10 MB; please compress large files; only common media, archive, text and programming file formats are allowed)

File Comment

Options

Private file (available to author and site moderators only)

Topic review

martin

Re: Putty 0.56 Security Fix

2004-10-30

WinSCP is the most probably vulnerable. I hope I can manage new release tomorrow.

Guest

Re: Putty 0.56 Security Fix

2004-10-29 01:36

garylove wrote:

So does 3.7 beta use PuTTy 0.56?

WinSCP 3.7 Beta was released on 2004-10-12 and PuTTY's vulnerability was informed to PuTTY developmet team on 2004-10-21.

garylove

Putty 0.56 Security Fix

2004-10-28 22:53

So does 3.7 beta use PuTTy 0.56?

Guest

[FYI]Detail of vulnerability

2004-10-28 07:02

from iDEFENSE (<invalid hyperlink removed by admin>)

The vulnerability specifically exists due to insufficient bounds checking on SSH2_MSG_DEBUG packets. The 'stringlen' parameter is given a user-supplied value by reading in an integer from an offset in the packet data. The 'stringlen' value is incorrectly checked due to signedness issues as seen below.

Guest

Putty 0.56 Security Fix

2004-10-27 20:00

Sorry if this has already been posted, but I haven't seen it...

Another major Putty security hole has been patched... (yeah, 2 in 3 months :( )

From the Putty website:

2004-10-26 ANOTHER SECURITY HOLE, fixed in PuTTY 0.56

PuTTY 0.56, released today, fixes a serious security hole which can allow a server to execute code of its choice on a PuTTY client connecting to it. In SSH2, the attack can be performed before host key verification, meaning that even if you trust the server you think you are connecting to, a different machine could be impersonating it and could launch the attack before you could tell the difference. We recommend everybody upgrade to 0.56 as soon as possible.

That's two really bad holes in three months. I'd like to apologise to all our users for the inconvenience.

Further details are available from iDEFENSE, here (<invalid hyperlink removed by admin>).

Thanks!

Post a reply

Topic review

Re: Putty 0.56 Security Fix

Re: Putty 0.56 Security Fix

Putty 0.56 Security Fix

[FYI]Detail of vulnerability

Putty 0.56 Security Fix

Documentation

Support

Associations

Follow Us