Jump to content

[Info] puTTY-Update for your security


Recommended Posts

Posted

https://www.chiark.greenend.org.uk/~sgtatham/putty/changes.html

 

These features are new in 0.71 (released 2019-03-16):

Quote

Security fixes found by an EU-funded bug bounty programme:
            -    a remotely triggerable memory overwrite in RSA key exchange, which can occur before 
                host key verification
            -    potential recycling of random numbers used in cryptography
            -    on Windows, hijacking by a malicious help file in the same directory as the executable
            -    on Unix, remotely triggerable buffer overflow in any kind of server-to-client forwarding
            -    multiple denial-of-service attacks that can be triggered by writing to the terminal
-    Other security enhancements: major rewrite of the crypto code to remove cache and timing side channels.
-    User interface changes to protect against fake authentication prompts from a malicious server.
-    We now provide pre-built binaries for Windows on Arm.
-    Hardware-accelerated versions of the most common cryptographic primitives: AES, SHA-256, SHA-1.
-    GTK PuTTY now supports non-X11 displays (e.g. Wayland) and high-DPI configurations.
-    Type-ahead now works as soon as a PuTTY window is opened: keystrokes typed before authentication 
    has finished will be buffered instead of being dropped.
-    Support for GSSAPI key exchange: an alternative to the older GSSAPI authentication system which 
    can keep your forwarded Kerberos credentials updated during a long session.
-    More choices of user interface for clipboard handling.
-    New terminal features: support the REP escape sequence (fixing an ncurses screen redraw failure), 
    true colour, and SGR 2 dim text.
-    Pressing Ctrl+Shift+PgUp or Ctrl+Shift+PgDn now takes you straight to the top or bottom of the 
    terminal scrollback.

 

Download at
https://www.chiark.greenend.org.uk/~sgtatham/putty/latest.html

Windows Binary 32Bit: https://the.earth.li/~sgtatham/putty/latest/w32/putty.zip

Windows Binary 64Bit https://the.earth.li/~sgtatham/putty/latest/w64/putty.zip

Posted

0.72, released on 2019-07-20, is the latest release. 

 

These features are new in 0.72 (released 2019-07-20):

Security fixes found by the EU-funded bug bounty:
two separate vulnerabilities affecting the obsolete SSH-1 protocol, both available before host key checking
a vulnerability in all the SSH client tools (PuTTY, Plink, PSFTP and PSCP) if a malicious program can impersonate Pageant
Bug fix: crash in GSSAPI / Kerberos key exchange affecting third-party GSSAPI providers on Windows (such as MIT Kerberos for Windows)
Bug fix: crash in GSSAPI / Kerberos key exchange triggered if the server provided an ordinary SSH host key as part of the exchange
Bug fix: trust sigils were never turned off in SSH-1 or Rlogin
Bug fix: trust sigils were never turned back on if you used Restart Session
Bug fix: PSCP in SCP download mode could create files with a spurious newline at the end of their names
Bug fix: PSCP in SCP download mode with the -p option would generate spurious complaints about illegal file renaming
Bug fix: the initial instruction message was never printed during SSH keyboard-interactive authentication
Bug fix: pasting very long lines through connection sharing could crash the downstream PuTTY window
Bug fix: in keyboard layouts with a ',' key on the numeric keypad (e.g. German), Windows PuTTY would generate '.' instead for that key
Bug fix: PuTTYgen could generate RSA keys with a modulus one bit shorter than requested

 

32bit

https://the.earth.li/~sgtatham/putty/0.72/w32/putty.zip

 

64bit

https://the.earth.li/~sgtatham/putty/0.72/w64/putty.zip

Posted

These features are new in 0.73 (released 2019-09-29):

Security fix: on Windows, other applications were able to bind to the same TCP port as a PuTTY local port forwarding.
Security fix: in bracketed paste mode, the terminal escape sequences that should delimit the pasted data were appearing together on one side of it, making it possible to misidentify pasted data as manual keyboard input.
Bug fix (possibly security-related): an SSH-1 server sending a disconnection message could cause an access to freed memory.
Bug fix: Windows Plink would crash on startup if it was acting as a connection-sharing downstream.
Bug fix: Windows PuTTY now updates its terminal window size correctly if the screen resolution changes while it's maximised.
Bug fix: tweaked terminal handling to prevent lost characters at the ends of lines in gcc's coloured error messages.
Bug fix: removed a bad interaction between the 'clear scrollback' operation and mouse selection that could give rise to the dreaded "line==NULL" assertion box.

32bit

https://the.earth.li/~sgtatham/putty/latest/w32/putty.zip

 

64bit

https://the.earth.li/~sgtatham/putty/latest/w64/putty.zip

Guest
This topic is now closed to further replies.
×
×
  • Create New...

Important Information

Terms of Use - Privacy Policy - Guidelines