New PuTTY requested for Terrapin CVEs :: Support Forum

Userman Guest

New PuTTY requested for Terrapin CVEs

2023-12-20 13:19

In its current incarnation, Terrapin involves three vulnerabilities:
CVE-2023-48795
CVE-2023-46445
CVE-2023-46446
https://arstechnica.com/security/2023/12/hackers-can-break-ssh-channel-integrity-using-novel-data-corruption-attack/

Kudos

Reply with quote

martin◆ Site Admin
Joined:: 2002-12-10
Posts:: 40,605
Location:: Prague, Czechia

Re: New PuTTY requested for Terrapin CVEs

2023-12-20

Thanks for your post.

I have added this issue to the tracker:
Issue 2246 – Mitigations for SSH protocol "Terrapin" vulnerability

Reply with quote

itncssupport
Joined:: 2024-01-08
Posts:: 2

Re: New PuTTY requested for Terrapin CVEs

2024-01-08 19:56

Is there an updated version of WinSCP that is available besides the beta version of 6.2.2 MSI package as we are trying to push this update remotely to many laptops.

Reply with quote

dsgoody
Joined:: 2024-01-09
Posts:: 3
Location:: UK

2024-01-09 09:09

Are there any plans to address the Terrapin vulnerabilities in a stable release of WinSCP?

Reply with quote

LC
Joined:: 2024-01-09
Posts:: 2
Location:: UK

When is 6.2.3 to be released?

2024-01-09 16:55

Your site shows the next version as being:
6.2.3 (not released yet)

Is there an ETA on this as I would like to deploy fixes to the Terrapin vulnerabilities without having to deploy Beta software.

Reply with quote

LC

Re: New PuTTY requested for Terrapin CVEs

2024-01-10 09:28

@martin: The tracker states that this is now closed as there is a Beta version available which is not vulnerable to Terrapin.

Is there an ETA on the next stable release as I would like to deploy fixes to the Terrapin vulnerabilities without having to deploy Beta software.

Reply with quote

TheGift73
Joined:: 2024-01-10
Posts:: 1
Location:: Earth

WinSCP 6.1.3 (not released yet)

2024-01-10 16:26

Hi,

I can see that it shows in the release notes for the un-released version of 6.1.3,

Back-propagated some improvements from 6.2 beta release

In the improvements mentioned for version 6.2, it doesn't mention anything regarding the fix to the SSH protocol 'Terrapin' vulnerability.

The only fix for that that I can see for WinSCP is in Beta version 6.2.2

Do you know if the fix for the SSH protocol 'Terrapin' vulnerability, can or will also be added to the next available version of WinSCP?

Reply with quote

martin◆ Site Admin

Re: WinSCP 6.1.3 (not released yet)

2024-01-11

@TheGift73: Currently we do not plan to release any patch for 6.1. Terrapin does not seem to be critical enough to justify it. Stable version of WinSCP 6.2 will be released in several weeks.

Reply with quote

dsgoody
Joined:: 2024-01-09
Posts:: 3
Location:: UK

Re: WinSCP 6.1.3 (not released yet)

2024-02-07 11:31

Is there any update on this? Nearly four weeks have passed since this comment, and seven weeks since this vulnerability was made public.

We'd really like to deploy a stable patched version of WinSCP to our estate, as we did for PuTTY at the start of January.

Thanks.

Reply with quote