Summary: | <net-misc/putty-0.64: fails to clear private key information from memory (CVE-2015-2157) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Jeroen Roovers (RETIRED) <jer> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | normal | ||
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/private-key-not-wiped-2.html | ||
Whiteboard: | C3 [noglsa cve] | ||
Package list: | Runtime testing required: | --- |
Description
Jeroen Roovers (RETIRED)
2015-03-04 14:33:00 UTC
Stable for HPPA. amd64 stable x86 stable ppc stable sparc stable alpha stable. Maintainer(s), please cleanup. Arches, Thank you for your work. GLSA Vote: No Maintainer(s), please drop the vulnerable version(s). GLSA Vote: No CVE-2015-2157 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-2157): The (1) ssh2_load_userkey and (2) ssh2_save_userkey functions in PuTTY 0.51 through 0.63 do not properly wipe SSH-2 private keys from memory, which allows local users to obtain sensitive information by reading the memory. |