SECURITY UPDATE: PuTTY version 0.55 is released
All the pre-built binaries, and the source code, are now available from the PuTTY website at
This is a bug fix release to 0.54, and also a SECURITY UPDATE. We recommend that _everybody_ upgrade, as soon as possible.
This version fixes a security hole in previous versions of PuTTY, which can allow an SSH2 server to attack your client before host key verification. This means that you are not even safe if you trust the server you _think_ you're connecting to, since it could be spoofed over the network and the host key check would not detect this before the attack could take place. We are not completely certain of the impact of the attack, but it could be as bad as allowing the server to execute code of its choice on the client.
This vulnerability was found by Core Security Technologies, who we understand will shortly release an advisory numbered CORE-2004-0705 on the subject.
In addition to this security fix, there have been some other bug fixes as well. Notable among them are:
- general robustness of the SSH1 implementation has been improved,
which may have fixed further potential security problems although
we are not aware of any specific ones
- random noise generation was hanging some computers and
interfering with other processes' precision timing, and should
now not do so
- dead key support should work better
- a terminal speed is now sent to the SSH server
- removed a spurious diagnostic message in Plink
- the `-load' option in PSCP and PSFTP should work better
- X forwarding on the Unix port can now talk to Unix sockets as
well as TCP sockets
- various crashes and assertion failures fixed.
I repeat: PuTTY 0.55 fixes a SERIOUS SECURITY HOLE in all previous
versions of PuTTY. You should upgrade now.