punkwalrus (punkwalrus) wrote,
punkwalrus
punkwalrus

Tech - SECURITY - Windows users who use puTTY

We use puTTY a lot at work, and we all got this notice. Verified in the link of the letter:

SECURITY UPDATE: PuTTY version 0.55 is released
-----------------------------------------------

All the pre-built binaries, and the source code, are now available from the PuTTY website at

http://www.chiark.greenend.org.uk/~sgtatham/putty/

This is a bug fix release to 0.54, and also a SECURITY UPDATE. We recommend that _everybody_ upgrade, as soon as possible.

This version fixes a security hole in previous versions of PuTTY, which can allow an SSH2 server to attack your client before host key verification. This means that you are not even safe if you trust the server you _think_ you're connecting to, since it could be spoofed over the network and the host key check would not detect this before the attack could take place. We are not completely certain of the impact of the attack, but it could be as bad as allowing the server to execute code of its choice on the client.

This vulnerability was found by Core Security Technologies, who we understand will shortly release an advisory numbered CORE-2004-0705 on the subject.

In addition to this security fix, there have been some other bug fixes as well. Notable among them are:

- general robustness of the SSH1 implementation has been improved,
which may have fixed further potential security problems although
we are not aware of any specific ones

- random noise generation was hanging some computers and
interfering with other processes' precision timing, and should
now not do so

- dead key support should work better

- a terminal speed is now sent to the SSH server

- removed a spurious diagnostic message in Plink

- the `-load' option in PSCP and PSFTP should work better

- X forwarding on the Unix port can now talk to Unix sockets as
well as TCP sockets

- various crashes and assertion failures fixed.

I repeat: PuTTY 0.55 fixes a SERIOUS SECURITY HOLE in all previous
versions of PuTTY. You should upgrade now.
Subscribe
  • Post a new comment

    Error

    Anonymous comments are disabled in this journal

    default userpic

    Your reply will be screened

    Your IP address will be recorded 

  • 1 comment