Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 542098 (CVE-2015-2157) - <net-misc/putty-0.64: fails to clear private key information from memory (CVE-2015-2157)
Summary: <net-misc/putty-0.64: fails to clear private key information from memory (CVE...
Status: RESOLVED FIXED
Alias: CVE-2015-2157
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: http://www.chiark.greenend.org.uk/~sg...
Whiteboard: C3 [noglsa cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2015-03-04 14:33 UTC by Jeroen Roovers (RETIRED)
Modified: 2015-07-05 21:15 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Jeroen Roovers (RETIRED) gentoo-dev 2015-03-04 14:33:00 UTC 
Arch teams, please test and mark stable:
=net-misc/putty-0.64
Targeted stable KEYWORDS : alpha amd64 hppa ppc sparc x86
Comment 1 Jeroen Roovers (RETIRED) gentoo-dev 2015-03-05 08:20:37 UTC 
Stable for HPPA.
Comment 2 Agostino Sarubbo gentoo-dev 2015-03-06 09:55:17 UTC 
amd64 stable
Comment 3 Agostino Sarubbo gentoo-dev 2015-03-06 09:55:45 UTC 
x86 stable
Comment 4 Agostino Sarubbo gentoo-dev 2015-03-26 11:23:15 UTC 
ppc stable
Comment 5 Agostino Sarubbo gentoo-dev 2015-03-30 09:50:13 UTC 
sparc stable
Comment 6 Agostino Sarubbo gentoo-dev 2015-03-30 10:02:56 UTC 
alpha stable.

Maintainer(s), please cleanup.
Comment 7 Yury German Gentoo Infrastructure gentoo-dev 2015-04-22 20:21:05 UTC 
Arches, Thank you for your work.

GLSA Vote: No

Maintainer(s), please drop the vulnerable version(s).
Comment 8 Kristian Fiskerstrand (RETIRED) gentoo-dev 2015-05-11 16:24:45 UTC 
GLSA Vote: No
Comment 9 GLSAMaker/CVETool Bot gentoo-dev 2015-07-05 21:15:35 UTC 
CVE-2015-2157 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-2157):
  The (1) ssh2_load_userkey and (2) ssh2_save_userkey functions in PuTTY 0.51
  through 0.63 do not properly wipe SSH-2 private keys from memory, which
  allows local users to obtain sensitive information by reading the memory.